Privacy Policy

Last Updated: March, 2026

Controller and Data Protection Officer

The controller responsible for data processing on this website is:

sprylab technologies GmbH  
Keithstraße 2–4 10787  
Berlin, Deutschland

Phone: +49 (0) 30 23 62 58 95 0  
E-Mail: hello@sprylab.com

Management: Stephan Heck, Benjamin Kolb, Arthur Silber  
Commercial register: Charlottenburg Local Court (Amtsgericht Charlottenburg), HRB 110962

You can reach our company Data Protection Officer at:
Jens Bimberg E-Mail: privacy@sprylab.com

General Information on Data Processing

We process the personal data of our users exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (TDDDG).

Personal data is all information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This includes, for example, name, email address, telephone number or IP address.

As a rule, we only process personal data to the extent necessary to provide a functioning website as well as our content and services. Processing takes place only on the basis of one of the following legal bases:

  • Consent of the data subject (Art. 6 (1) (a) GDPR)
  • Necessity for the performance of a contract or for taking pre-contractual measures (Art. 6 (1) (b) GDPR)
  • Compliance with a legal obligation (Art. 6 (1) (c) GDPR)
  • Protection of our legitimate interests, provided that the interests or fundamental rights of the data subject do not override them (Art. 6 (1) (f) GDPR)

Insofar as consent is required for operations on your device (e.g. the setting of cookies), we obtain it in advance via our consent tool (§ 25 (1) TDDDG).

Provision of the Website and Server Log Files

Each time our website is accessed, our hosting provider automatically collects technical information transmitted by your browser. This is stored in so-called server log files:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the file retrieved
  • Volume of data transferred
  • Message about successful retrieval
  • Browser type and version used
  • Operating system used
  • Referrer URL (previously visited page)

Processing takes place to provide the website, to ensure system security and stability, and to investigate any cases of misuse.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure and stable operation).

Storage period: The log files are stored for a maximum of 30 days. Longer storage occurs only if necessary to investigate security-related incidents.


Cookies and Comparable Technologies

We use cookies and comparable technologies on our website. Cookies are small text files that are stored in your browser and contain certain information.

We distinguish between:

  • Technically necessary cookies that are essential for the operation of the website (e.g. for storing your cookie settings or for providing security functions). Legal basis: § 25 (2) No. 2 TDDDG and Art. 6 (1) (f) GDPR.
  • Consent-requiring cookies and tools (e.g. for analytics, marketing or external services), which are loaded only after your active consent via our consent banner. Legal basis: § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR.

A complete and always up-to-date overview of all cookies used (including provider, purpose and storage period) can be found in our consent banner under “Cookie settings”. There you can adjust your consent at any time or withdraw it with effect for the future. To manage consents we use the Cookiebot service (see section 7.3).


Contacting Us

If you contact us by email, contact form or telephone, we process your details (e.g. name, email address, company, message content) to handle your request.

Legal basis: Art. 6 (1) (b) GDPR, insofar as your request is aimed at concluding a contract, otherwise Art. 6 (1) (f) GDPR (legitimate interest in responding to enquiries).

Your data will be deleted as soon as it is no longer required for the purpose of collection and no statutory retention obligations prevent this.


Newsletter

If you sign up for our newsletter, we process your email address and, where applicable, other voluntary details in order to send you the newsletter.

Registration takes place via the double opt-in procedure: after signing up, you receive an email with a confirmation link. Only after you click this link is the registration complete.

Legal basis: Art. 6 (1) (a) GDPR (consent).

You can unsubscribe from the newsletter at any time, e.g. via the unsubscribe link at the end of every newsletter email or by email to privacy@sprylab.com. The withdrawal of consent does not affect the lawfulness of the processing carried out up to the withdrawal.

For sending the newsletter we use HubSpot (see section 7.4).


Services and Third-Party Providers Used

Below we inform you about the third-party provider services we use on this website. Insofar as personal data is transferred to countries outside the EU/EEA (third countries), we point this out separately and name the relevant safeguards (e.g. EU-US Data Privacy Framework, standard contractual clauses).

Amazon Web Services

Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (parent company: Amazon Web Services, Inc., USA).

Our website is hosted on servers operated by Amazon Web Services (AWS). Each time the website is accessed, technical data (in particular IP address, timestamp, file retrieved, browser and device information) is processed on the AWS servers. Processing takes place within the EU.

Purpose: Provision and secure operation of the website.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stable and secure operation of the website).

Third-country transfer: A transfer to the USA cannot be ruled out in the context of technically necessary support or maintenance processes. Amazon Web Services, Inc. is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR is in place with AWS, as well as an agreement on EU standard contractual clauses.

Further information: https://aws.amazon.com/de/privacy/


Cloudflare

Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA.

We use Cloudflare as a Content Delivery Network (CDN) and Web Application Firewall. Cloudflare speeds up the delivery of our website and protects it against abusive access (e.g. DDoS attacks). In doing so, your IP address and possibly other technical data are transmitted to Cloudflare.

Purpose: Secure, fast and stable provision of the website.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest).

Third-country transfer: A transfer to the USA takes place. Cloudflare, Inc. is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR is in place with Cloudflare, as well as an agreement on EU standard contractual clauses.

Further information: https://www.cloudflare.com/de-de/privacypolicy/

Cookiebot

Provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark.

We use the Cookiebot service to obtain, manage and document your consent to the use of cookies and comparable technologies. When our website is accessed, the following data is processed via Cookiebot: your IP address (anonymized), the time and content of your consent, browser and device information, and a randomly generated, anonymous user identifier.

Purpose: Obtaining and documenting the consents required under § 25 (1) TDDDG and Art. 6 (1) (a) GDPR, as well as the legally compliant delivery of cookies according to your selection.

Legal basis: Art. 6 (1) (c) GDPR (compliance with the legal obligation to document consents pursuant to Art. 7 (1) GDPR); insofar as information is stored on your device for the function of the banner, § 25 (2) No. 2 TDDDG (technically necessary).

Storage period: Your consent or its withdrawal is generally documented for 12 months.

Third-country transfer: Does not take place. Cookiebot processes the data within the EU.

Further information: https://www.cookiebot.com/de/privacy-policy/

HubSpot

Provider: HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland (parent company: HubSpot, Inc., USA).

We use HubSpot as a CRM and marketing platform. HubSpot processes the data you provide to us via forms on our website, in the course of newsletter registration, or when requesting content (e.g. whitepapers, webinar registrations). Insofar as HubSpot uses tracking cookies to track your interaction with our website and to measure the effectiveness of our marketing measures, this happens exclusively after your consent via our consent banner.

Data collected includes, among other things: name, email address, company, position, telephone number, IP address, browser type, pages visited, time spent.

Purpose: Management of contacts, handling of enquiries, provision of content, sending of newsletters, analysis and optimization of our marketing activities.

Legal basis: For handling enquiries and pre-contractual measures: Art. 6 (1) (b) GDPR. For newsletter and marketing tracking cookies: Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG (consent via consent banner or registration form).

Third-country transfer: A transfer to the USA may take place. HubSpot, Inc. is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR is in place with HubSpot.

Further information: https://legal.hubspot.com/de/privacy-policy

Google Analytics

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).

We use Google Analytics 4 for the statistical evaluation of the use of our website. Google Analytics uses cookies and similar technologies to collect information about your use of the website (e.g. pages visited, time spent, source of access, approximate location, device used, truncated IP address).

We have activated IP anonymization; your IP address is truncated before any storage.

Purpose: Analysis of user behavior to optimize our website and our content.

Legal basis: Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG. It is used only if you have previously given consent via our consent banner.

Storage period: The data collected by Google Analytics is automatically deleted after 14 months.

Third-country transfer: A transfer to the USA may take place. Google LLC is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR is in place with Google, as well as an agreement on EU standard contractual clauses.

You can withdraw your consent at any time via the cookie settings. In addition, you can install the browser add-on to deactivate Google Analytics: https://tools.google.com/dlpage/gaoptout?hl=de

Further information: https://policies.google.com/privacy?hl=de


Google reCAPTCHA

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

To protect our forms against abusive automated input (bots), we use the “reCAPTCHA” service. In doing so, the following data, among others, is transmitted to Google: IP address, referrer URL, information about operating system and browser, time spent, cookies, mouse and keyboard behavior.

Purpose: Defense against spam and abusive automated access to our forms.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in preventing misuse). Insofar as reCAPTCHA stores or reads information on your device, this takes place on the basis of your consent pursuant to Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG, which you give via our consent banner.

Third-country transfer: A transfer to the USA may take place. Google LLC is certified under the EU-US Data Privacy Framework.

Further information: https://policies.google.com/privacy?hl=de and https://policies.google.com/terms?hl=de


Calendly

Provider: Calendly LLC, 271 17th St NW, 10th Floor, Atlanta, Georgia 30363, USA.

On our website we offer you the option of scheduling appointments with us via Calendly. When booking, you provide, among other things, your name, email address, possibly your company and your preferred appointment. This data is transmitted to Calendly and stored on their servers. Calendly also uses cookies.

Purpose: Enabling simple appointment scheduling with prospects and customers.

Legal basis: For the appointment scheduling itself: Art. 6 (1) (b) GDPR (performance of pre-contractual measures) or Art. 6 (1) (f) GDPR (legitimate interest in efficient appointment coordination). For loading the Calendly widget and the associated cookies: Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG (consent via consent banner).

Third-country transfer: A transfer to the USA takes place. Calendly LLC is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR is in place with Calendly; in addition, EU standard contractual clauses are applied.

Further information: https://calendly.com/privacy

LinkedIn Insight Tag

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (parent company: LinkedIn Corporation, USA).

We use the LinkedIn Insight Tag to measure the effectiveness of our advertising measures on LinkedIn, to define target groups for ads, and to analyze the use of our website. In doing so, the following data, among others, is transmitted to LinkedIn: IP address (truncated or hashed), device and browser characteristics, timestamp, pages visited.

Purpose: Analysis of the effectiveness of our marketing measures, retargeting, audience-appropriate delivery of advertisements.

Legal basis: Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG (consent via consent banner).

Storage period: LinkedIn deletes direct identifiers of LinkedIn members after seven days and pseudonymized data after 180 days.

Third-country transfer: A transfer to the USA may take place. LinkedIn Corporation is certified under the EU-US Data Privacy Framework. We and LinkedIn are joint controllers within the meaning of Art. 26 GDPR; you can find the corresponding agreement here: https://legal.linkedin.com/dpa

Further information: https://www.linkedin.com/legal/privacy-policy


SEMrush

Provider: Semrush Inc., 800 Boylston Street, Suite 2475, Boston, MA 02199, USA.

We use SEMrush for search engine optimization, market analysis and competitive monitoring. We use SEMrush predominantly server-side to evaluate publicly accessible data (e.g. rankings, backlinks); in this context, as a rule, no personal data of our website visitors is processed.

Insofar as SEMrush uses scripts or cookies on our website that collect personal data (e.g. IP address), this takes place exclusively on the basis of your consent.

Purpose: Search engine optimization and analysis of our website performance.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in optimizing our online presence); insofar as information is stored on or read from your device, Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG (consent).

Third-country transfer: A data processing agreement pursuant to Art. 28 GDPR is in place with SEMrush; any data transfers to the USA are based on EU standard contractual clauses.

Further information: https://www.semrush.com/company/legal/privacy-policy/


YouTube

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).

On our website we embed videos from the YouTube platform. We use YouTube in extended data protection mode (“youtube-nocookie.com”). Even in this mode, when a video is played, personal data (in particular IP address, device information, browser identifier, and possibly cookies) is transmitted to YouTube. If you are logged into your YouTube account at the time of playback, YouTube may associate the information with your user account.

Purpose: Provision of video content to inform our website visitors.

Legal basis: Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG. YouTube videos are loaded only after you have given consent via our consent banner.

Third-country transfer: A transfer to the USA may take place. Google LLC is certified under the EU-US Data Privacy Framework.

Further information: https://policies.google.com/privacy?hl=de

Overview of Third-Country Transfers

For some of the services mentioned, personal data is transferred to third countries, in particular to the USA. We have ensured that appropriate safeguards within the meaning of Art. 44 et seq. GDPR exist for all such transfers:

  • Certification of the recipient under the EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023), or
  • Conclusion of the EU standard contractual clauses in their current version, supplemented where appropriate by additional technical and organizational measures.

We point out that, despite these safeguards, access by government authorities in the USA cannot be ruled out in every case.


CSocial Media

We operate profiles on the following platforms:

  • LinkedIn: https://www.linkedin.com/company/purplepublish
  • Facebook: https://www.facebook.com/purple.digitalpublishing
  • Instagram: https://www.instagram.com/behind_purple/

When you visit our profiles, the privacy provisions of the respective platform operators also apply. We have no influence on the data processing carried out there. Insofar as joint responsibility pursuant to Art. 26 GDPR exists, a corresponding agreement is in place with the platform operators.

Legal basis for processing by us: Art. 6 (1) (f) GDPR (legitimate interest in public relations and information).


Job Applications

If you apply to us, we process your application documents for the purpose of carrying out the application procedure.

Legal basis: § 26 (1) BDSG in conjunction with Art. 88 GDPR; insofar as you have given us consent (e.g. for inclusion in our talent pool), Art. 6 (1) (a) GDPR.

Storage period: In the event of non-recruitment, we delete your application documents no later than six months after the conclusion of the procedure, unless longer storage is required to defend against legal claims (e.g. under the AGG, the German General Equal Treatment Act) or you have consented to longer storage.


Your Rights as a Data Subject

You have the following rights against us with regard to the personal data concerning you:

  • Access to your processed personal data (Art. 15 GDPR)
  • Rectification of inaccurate or incomplete data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing, insofar as it is based on Art. 6 (1) (e) or (f) GDPR (Art. 21 GDPR)
  • Withdrawal of consent given, with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, please contact privacy@sprylab.com.

You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data (Art. 77 GDPR). The authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Alt-Moabit 59–61, 10555 Berlin, https://www.datenschutz-berlin.de


Storage Period

We process and store personal data only for as long as is necessary to achieve the respective processing purpose or as long as a statutory retention obligation exists (e.g. under commercial and tax law). Once the purpose no longer applies or the period expires, the data is routinely deleted or its processing is restricted.


Data Security

We use technical and organizational security measures to protect your personal data against loss, inaccurate alteration and unauthorized access. The transmission of data on this website takes place via an encrypted TLS connection.


Changes this to Privacy Policy

We reserve the right to amend this privacy policy in order to adapt it to changed legal situations or to changes in our services and data processing. You can always find the current version on this page. The date can be found in the information at the beginning of this document.