Privacy Policy

This Privacy Policy describes how deltaDAO AG (in the following deltaDAO, we, us, our) processes personal data as a Processor on behalf of its Onboarding Application Customers and as a Controller.

Last updated on October 20, 2025.

Table of contents

• 1. Contact information of the controller and processor
  • 1.1 Definitions
  • 1.2 Classification
  • 1.3 Contact
• 2. What personal data do we process and for which purpose?
  • 2.1 Processing of personal data as a Processor
  • 2.2 Processing of personal data as a Controller
• 3. Legal basis of the processing
• 4. Recipients of personal data and storage duration
  • 4.1 Frontend hosting provider
  • 4.2 Backend hosting provider
  • 4.3 Backend communication provider
  • 4.4 Authentication provider
  • 4.5 Mail service provider
  • 4.6 Aggregated statistics provider
• 5. Automated decision making including profiling according to Article 13(2)(f) GDPR
• 6. Your rights
  • 6.1 Right to withdraw consent (Art. 7(3) GDPR)
  • 6.2 Right of access (Art. 15 GDPR)
  • 6.3 Right to rectification (Art. 16 GDPR)
  • 6.4 Right to erasure (Art. 17 GDPR)
  • 6.5 Right to restriction of processing (Art. 18 GDPR)
  • 6.6 Right to data portability (Art. 20 GDPR)
  • 6.7 Right to object (Art. 21 GDPR)
  • 6.8 Right to lodge a complaint (Art. 77 GDPR)
• 7. Questions
• 8. Changes to the Privacy Policy

1. Contact information of the controller and processor

1.1 Definitions

• “Controller” refers to the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data (cf. Art. 4(7) GDPR).
• "Processor" refers to the legal person which processes personal data on behalf of the controller (cf. Art. 4(8) GDPR).

1.2 Classification

The “Onboarding Application Customer” is the Controller of processing “Usage Data”, “Authentication Data” and “Organization and User Data” (see chapter 2 for more details) when using deltaDAO’s Onboarding Application. “Onboarding Application Customer” is the company or organization (e.g., your employer) that subscribed to and utilizes deltaDAO’s Onboarding Application (in the following Onboarding Application or Service) and instructs deltaDAO, as a Processor, to process personal data on their behalf.

deltaDAO AG is the Controller of processing “Statistics Data” for creating aggregated statistics and “E-mail Communication Data” (see chapter 2 for more details).

1.3 Contact

Onboarding Application Customer:

If you have any questions about specific Onboarding Application Customer privacy practices or personal data processing, please contact your organization or your organization’s Data Protection Officer (if applicable).

deltaDAO AG:

If you have any questions about the protection of your personal data at deltaDAO, please contact us or our Data Protection Officer using the following contact information:

deltaDAO AG
Katharinenstraße 30a (Contor)
20457 Hamburg
Germany
E-mail: contact@delta-dao.com

Data Protection Officer
deltaDAO AG
Katharinenstraße 30a (Contor)
20457 Hamburg
Germany
E-mail: privacy@delta-dao.com

2. What personal data do we process and for which purpose?

Personal data is any information that can be directly or indirectly associated with you.

2.1 Processing of personal data as a Processor

deltaDAO and its Processors process the personal data listed below on behalf of our Onboarding Application Customers. The purpose of the processing is to ensure the delivery and performance of our Services to our Onboarding Application Customers.

“Usage Data”:

• The following Usage Data is generated while using our service:
  • Operating system (OS)
  • Content accessed (URL)
  • Internet Protocol (IP) address
  • Further User-Agent-Request-Header data (device type, used browser)
  • Date and time that the services were used
  • Application diagnostics, connection timestamps, server the user was connected to
  • Activity logs (login attempts)
• Usage Data is collected and used for providing our service because it is a technical requirement for ensuring communication between your device and our Onboarding Application (including frontend and backend) and displaying the website contents correctly. Moreover, usage data is collected, used and stored in log files for security, fraud-prevention, abuse-prevention, and troubleshooting purposes.

“Authentication Data”:

• Authentication Data is processed when you are creating, using or updating your account:
  • User e-mail addresses
  • User public key material (when using passkey- or WebAuthn-based authentication)
  • Authenticator names (e.g., “John’s YubiKey”, “John’s iPhone”)
• Authentication Data is collected, used and stored to enable you to create, log in to, use and update your account.

“Organization and User Data”:

• Organization and User Data are provided by you or the respective Onboarding Application Customer (e.g. your employer) or generated automatically during the account creation or update and includes your:
  • User ID and Authentication ID,
  • E-mail address and
  • Organizational affiliation.
• Organization and User Data is collected, used and stored to enable you to use the Pontus-X onboarding and Gaia-X credential creation service.

2.2 Processing of personal data as a Controller

deltaDAO process the following categories of personal data as a Controller:

“Statistics Data”:

• deltaDAO uses Plausible Analytics (see also chapter 4), a privacy-friendly web analytics tool for tracking overall trends on our Onboarding Application. Plausible primarily uses data that is recorded by default in server logs, such as requested URLs, access times, HTTP status codes and transferred data volumes. When the data is received, it is pseudonymized using a hash function and a regularly changing key (salt) (hash(daily_salt + website_domain + ip_address + user_agent)). This process aims to change personal data in such a way that data subjects are no longer directly identifiable, but a distinction between sessions is made possible. Plausible Analytics never stores the raw data IP address and User-Agent in logs, databases or anywhere on disk at all. Within 24 hours of pseudonymization, the data is completely anonymized by removing the “salt” so that it can no longer be traced back to the original user data. The remaining data does not allow any direct or indirect identification of you.
• Purpose: Statistics Data is collected, used and stored to reach measurement and Onboarding Application optimization.

“E-mail Communication Data”:

• If you contact us via e-mail, deltaDAO collects, uses, and stores your e-mail address, and any other information you provide us in your message, such as your name. When you send us an e-mail, our (mail) service provider Microsoft Corporation (see also chapter 4) supports us in processing your personal data so we can communicate with you.
• Purpose: We collect, use and store this personal data to respond to your inquiries.

3. Legal basis of the processing

deltaDAO processes your Usage Data, Authentication Data and Organization and User Data as a Processor in accordance with the Onboarding Application Customer’s instructions to provide our Services (see also chapter 1). Because deltaDAO acts as a Processor, it is our Onboarding Application Customer (Controller) who determines the applicable legal basis associated with the processing operations. Queries about the applicable legal basis should be directed to them.

deltaDAO creates statistics and processes E-mail Communication Data as a Controller based on our legitimate interest, according to Art. 6(1)(f) GDPR:

• Statistics Data: It is in deltaDAO’s interest to continuously improve and develop our Service.
• E-mail Communication Data: Our legitimate interest is to answer your inquiries.

4. Recipients of personal data and storage duration

4.1 Frontend hosting provider

When visiting and using our Onboarding Application, your “Usage Data” is processed by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel is a service provider that hosts our Onboarding Application frontend. Our Onboarding Application frontend is served by Vercel using a Content Delivery Network, a geographically distributed network, with servers within and outside of the European Economic Area (EEA). This means, if you are located within the EEA, your IP address will most likely (but not guaranteed) be processed on a Vercel server within the EEA.

There is no adequacy decision for the USA from the European Commission. Our cooperation with Vercel is based on a Data Processing Agreement (DPA) including Standard Contractual Clauses (SCC). You have the right to receive a copy of these SCC. To exercise your right, please contact us at privacy@delta-dao.com.

• Here you can find Vercel's current DPA including SCC ↗.
• Here you can find Vercel's privacy policy ↗.

Storage duration: Vercel retains your personal data for as long as needed to provide their services. Additionally, Vercel does not delete the data when it is needed for the establishment, exercise, or defense of legal claims. In this case, the information is retained as long as needed for exercising respective potential legal claims.

4.2 Backend hosting provider

When using our Onboarding Application, your “Usage Data” and “Organization and User Data” are processed on our backend components enabling our Onboarding Application functionalities. Backend components are managed by deltaDAO and hosted on Exoscale servers located in Frankfurt, Germany by Akenes SAE. Akenes SAE is headquartered in Boulevard de Grancy 19A, 1006 – Lausanne, Switzerland.

Our cooperation with Akenes SAE is based on a Data Processing Agreement (DPA). Here you can find Akenes SAE’s current DPA ↗.

Storage duration:

• Your “Usage Data” is stored in log files for a maximum of seven days.
• Your “Organization and User Data” is stored until you delete your account. We store your personal data beyond this period if we are obliged to do so due to retention obligations under tax and commercial law or in the event of legal disputes. If the latter is the case, your personal data will be erased after the retention period has expired.

4.3 Backend communication provider

When using our Onboarding Application, your Organization and User Data is processed by our Processor ELESTIO LIMITED, 66 Fitzwilliam Square, Dublin 2 D02 AT27, Ireland for managing event-driven backend service communication.

Our cooperation with ELESTIO LIMITED is based on a Data Processing Agreement (DPA). Here you can find ELESTIO LIMITED‘s current DPA ↗.

Storage duration: Your Organization and User Data is stored for the minimum time necessary to process the event. They are erased automatically, usually within a few minutes.

4.4 Authentication provider

When you are creating an account or log in to, use or log out of your account, “Authentication Data” is processed by our authentication provider Hanko GmbH, Ringstr. 19, 24114 Kiel, Germany (in the following Hanko).

Our cooperation with Hanko is based on a Data Processing Agreement (DPA). If you wish to receive a copy of the DPA, please contact us at privacy@delta-dao.com.

Storage duration: Your “Authentication Data” is processed for the duration of the contractual relationship between deltaDAO and Hanko. In the meantime, the “Authentication Data” will be deleted upon request or if the purpose ceases to exist. After termination of the contractual relationship, the “Authentication Data” is deleted in accordance with the internal deletion concept of Hanko.

4.5 Mail service provider

When communicating with us via e-mail, our mail service provider Microsoft Corporation (located at 1 Microsoft Way, Redmond, Washington 98052-8300, USA) supports us in processing your personal data (e-mail address and information contained in the e-mail) so we can communicate with you.

There is no adequacy decision for the USA from the European Commission. We have restricted storage on the EEA and signed SCC with our provider. You have the right to receive a copy of these SCC. To exercise your right, please contact us at privacy@delta-dao.com.

• Here you can find Microsoft's current DPA including SCC ↗.
• Here you can find Microsoft's privacy policy ↗.

Storage duration: We store your personal data as long as we need it to process your inquires. We store your personal data beyond this period if we are obliged to do so due to retention obligations under tax and commercial law or in the event of legal disputes. If the latter is the case, your personal data will be erased after the retention period has expired.

4.6 Aggregated statistics provider

deltaDAO uses Plausible Analytics (by Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia, Registration number 14709274, in the following Plausible), a privacy-friendly web analytics tool for tracking overall trends on our Onboarding Application. deltaDAO signed a DPA with Plausible.

• Here you can find Plausible's current DPA ↗.
• Here you can find Plausible's privacy policy ↗.
• Here you can find more information about Plausible's privacy practices ↗, security practices ↗ and a legal assessment on GDPR compliance ↗.

Plausible Analytics only uses EU-based service providers for hosting and additional services such as CDN and DDoS protection. The servers are located in Germany (operated by Hetzner) and additional services are provided by Bunny (based in Slovenia).

Plausible Analytics does not use cookies or similar technologies that require information to be stored on your device. Instead, the tool focuses on analyzing aggregated data without the need to access your end device or store information there. Plausible Analytics does not track individual visitors and does not create persistent identifiers. It does not use cross-platform or cross-device tracking and does not pass on data to third parties.

Storage duration: Your personal data is anonymized after 24 hours.

5. Automated decision making including profiling according to Article 13(2)(f) GDPR

Automated decision making including profiling does not take place.

6. Your rights

Pursuant to the GDPR, you have the following rights. If you wish to exercise your rights or have any questions, do not hesitate to contact us.

6.1 Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.2 Right of access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether the controller processes personal data about you. If the controller is processing personal data about you, you have the right to access these personal data and to gain the information defined in Art. 15 GDPR.

6.3 Right to rectification (Art. 16 GDPR)

You have the right to obtain without undue delay the rectification of inaccurate personal data about you. Additionally, you have the right that incomplete personal data about you are completed.

6.4 Right to erasure (Art. 17 GDPR)

You have the right to obtain without undue delay the erasure of personal data about you, where the defined legal grounds in Art. 17 GDPR apply.

6.5 Right to restriction of processing (Art. 18 GDPR)

Moreover, you have the right to obtain the restriction of processing your personal data where the defined legal grounds in Art. 18 GDPR apply.

6.6 Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Additionally, you have the right to transmit those data to another controller without hindrance, where the defined legal grounds in Art. 20 GDPR apply. You can make use of your right to data portability by contacting us.

6.7 Right to object (Art. 21 GDPR)

On grounds relating to your particular situation, you have the right to object to the processing of your personal data where the processing is based on legitimate interests (Art. 6(1)(f) GDPR). If you object, the controller will no longer process your personal data unless the controller can demonstrate compelling legitimate grounds for the processing, overriding your rights, freedoms, and interests, or if the processing is required to establish, exercise, or defend legal claims.

6.8 Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority if you consider the processing of your personal data by the controller infringes the GDPR. You can lodge a complaint in particular

• in the Member State of your habitual residence,
• in the Member State of your place of work, and
• in the place of the alleged infringement.

7. Questions

If you have any questions about our privacy policy, please send us an e-mail at privacy@delta-dao.com.

8. Changes to the Privacy Policy

This privacy policy will be amended from time to time. You can see the date of the last alteration at the top of the privacy policy.