Skip to main content

Privacy Policy

I. General Notes

bayshore AI GmbH (hereinafter referred to as "bayshore") as operator of the website www.bayshore.ai takes the protection of personal data very seriously. We treat personal data confidentially and in accordance with the statutory data protection regulations and on the basis of this privacy policy. The legal basis can be found in particular in the General Data Protection Regulation (GDPR) and in the Federal Data Protection Act (BDSG).

When you use this website, various personal data are processed depending on the type and extent of use. Personal data is information that relates to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified directly or indirectly (e.g. by means of association with an online identifier). This includes information such as the name, address, telephone number and date of birth.

This privacy policy informs you in accordance with Art. 12 et seq. GDPR about the handling of your personal data. In particular, it explains which data we collect and what we use it for. In addition, it informs you about how and for what purpose this is done.

This privacy policy refers to the data processing procedures when visiting our website at www.bayshore.ai. In addition, it informs all natural persons whose personal data we process when they contact us or otherwise interact with us - in particular prospects, customers, suppliers, partners and their respective contact persons, as well as any other person who contacts us by e-mail, telephone or by booking a call. This applies regardless of whether you act in a professional or a private capacity.

This privacy policy does not apply to the processing of personal data within our software products and services provided to customers. Where bayshore processes personal data as a processor on behalf of a customer in the context of those services, such processing is governed by the respective contract and our Data Processing Agreement pursuant to Art. 28 GDPR. Security, compliance and subprocessor information regarding our services is published in our Trust Center at https://trust.bayshore.ai/.

II. Controller

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc). The controller within the meaning of the GDPR and the applicable national data protection laws (in particular BDSG) and other data protection provisions is:

bayshore AI GmbH Theresienstr. 43 80333 Munich, Germany

Tel.: +49 151 41824418 E-mail: hq@bayshore.ai

Managing Directors: Paul F. Welter, Philipp Wiegand and Erik Krauter Registered with the commercial register of the Local Court of Munich under HRB 302926 VAT ID: DE400208363

III. The Company Data Protection Officer

We have appointed a company data protection officer for our company. You can reach him under:

Paul F. Welter, Rechtsanwalt (attorney at law) Data Protection Officer bayshore AI GmbH Theresienstr. 43 80333 Munich, Germany

Tel.: +49 151 41824418 E-mail: paul.welter@bayshore.ai

IV. Purposes and Legal Bases of the Processing of Data

1. Hosting and Access to our Website - Server Log Files

Our website is hosted by Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA ("Webflow"). When you visit our website, Webflow processes, as our processor, the information that is technically required to display the website in your browser and to ensure the stability and security of the website. This information is automatically collected each time the website is called up and stored in so-called server log files. These typically are:

• Browser type and version

• Operating system used

• Website from which the access is made (referrer URL)

• Date and time of access

• The requested file or page

• IP address of the requesting device (stored by Webflow in anonymized form)

The processing of this access data is necessary for technical reasons in order to provide a functional website and to ensure system security. The legal basis is Art. 6 (1) sentence 1 lit. f GDPR; our legitimate interest lies in being able to provide you with a technically functioning, stable and secure website. Where you access our website in order to obtain information about our products and services, the legal basis is additionally Art. 6 (1) sentence 1 lit. b GDPR. This data is not merged with other data sources and is not evaluated for marketing purposes.

According to information provided by Webflow, full IP addresses of visitors to our website are not stored on disk or in log files. Where IP addresses are processed in access or error logs, they are anonymized by removing the last octet. For the purpose of protecting against brute-force attacks, a hashed IP address is held in memory for a maximum of 24 hours. Technical log data is retained by Webflow for approximately 15 days and, in archived form, for up to 12 months.

We have concluded a data processing agreement pursuant to Art. 28 GDPR with Webflow. Webflow is established in the USA; on the transfer of data to third countries, see section VI below.

2. Video Content and Content Delivery (Bunny)

To deliver video content efficiently on our website, we use the content delivery and video hosting service of BunnyWay d.o.o., Dunajska cesta 165, 1000 Ljubljana, Slovenia ("Bunny"). When you access a page containing such content, the relevant files are delivered via Bunny's infrastructure, and your IP address and technical connection data are processed for this purpose. Bunny processes this data, as far as possible, in anonymized form and exclusively for the purpose of delivering the content and ensuring security and stability.

The legal basis is Art. 6 (1) sentence 1 lit. f GDPR; our legitimate interest lies in the fast, reliable and secure delivery of our content. We have concluded a data processing agreement pursuant to Art. 28 GDPR with Bunny. Bunny is established in the European Union.

3. Booking a Call via Google Appointment Scheduling

To arrange a call with us, we embed a booking page based on the appointment scheduling function of Google Calendar ("Book a call"). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google Ireland"); data may also be transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google LLC"). Google Ireland and Google LLC are hereinafter jointly referred to as "Google". When the booking page is displayed and used, a connection to Google's servers is established.

When you use the booking page, you provide personal data such as your name, e-mail address and any other information requested in the booking form, and you select an appointment. Google processes this data to display available time slots, manage the booking and send confirmations or reminders; a corresponding entry is created in our calendar. We receive the information required to prepare and hold the agreed call. We have no influence on the full scope of data processing by Google on the booking page; further details can be found in Google's privacy policy at https://policies.google.com/privacy.

If you book a call in connection with an existing contractual relationship or in advance to obtain information about our products or services, the legal basis is Art. 6 (1) sentence 1 lit. b GDPR (performance of a contract or pre-contractual measures). Otherwise, the legal basis is Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in responding to contact and scheduling requests efficiently). Data processed in connection with a booking is retained only for as long as necessary to prepare and conduct the call and for any follow-up, unless longer retention is required by law or, where the contact is transferred into our customer relationship management, until you request its deletion (see section 6 below). On the transfer of data to third countries, see section VI below.

4. Conducting Calls (Video Conferencing, Recording and Transcription)

Calls arranged with us are generally conducted by video conference using Google Meet, a service of Google (see section 3 above for the relevant Google entities). In this context, your connection data and the content of the conversation are processed. Where it is useful for documenting and following up on the conversation, we record and/or transcribe calls. We will inform you of any recording or transcription before it begins and, where required, obtain your consent.

The legal basis for conducting the call is Art. 6 (1) sentence 1 lit. b GDPR where the call serves the performance of a contract or pre-contractual measures, and otherwise Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in efficient communication and documentation). Where we obtain your consent for a recording or transcription, the legal basis is Art. 6 (1) sentence 1 lit. a GDPR; you may revoke this consent at any time with effect for the future. On the transfer of data to third countries, see section VI below.

5. Use of Cookies and related Functions/Technologies

Cookies are small text files that are stored on your terminal device by your browser. They serve, among other things, to make our website functional and secure. A distinction is made between "session cookies", which are automatically deleted after the end of your visit, and "persistent cookies", which remain stored on your terminal device for a defined period or until you delete them.

Our website uses only technically necessary or functional cookies that are required for the operation, security and basic functions of the website (for example a session cookie set by our hosting provider). We do not currently use Google Analytics or comparable analytics tools, advertising or tracking cookies, or social media or video plugins such as YouTube or Google Maps. Where you display and use the embedded Google booking page or video content (see sections 2 and 3 above), the respective provider may set cookies on your device; the legal bases and further information are described in the relevant section above and in the provider's privacy policy.

The use of technically necessary or functional cookies is based on Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in a secure and functional website) and, in respect of storage of and access to information on your terminal device, on § 25 (2) TDDDG. Where, in an individual case, consent is required, the legal basis is Art. 6 (1) sentence 1 lit. a GDPR and § 25 (1) TDDDG; you may revoke such consent at any time with effect for the future. You can also set your browser so that you are informed about the setting of cookies and can allow, restrict or exclude cookies and activate the automatic deletion of cookies when closing the browser. When disabling cookies, the functionality and/or full availability of this website may be limited.

6. Contacting us and Customer, Supplier and Business Relationship Management

If you contact us (for example by e-mail or telephone, or by booking a call) or if you interact with us as a prospect, customer, supplier, partner or as a contact person of such an organization, we process the personal data required for this purpose. This typically includes your name, contact details (such as e-mail address and telephone number), your organization and role, the content of your message or our communication, and information on the status and history of our relationship.

For e-mail and calendar purposes we use Google Workspace, a service of Google (see section 3 above for the relevant Google entities). To manage contacts and business relationships, we use the customer relationship management service of Attio Limited, 42 St John's Square, 2nd Floor, London EC1M 4EA, United Kingdom ("Attio"). We store the above-mentioned data and, where relevant, the content of communications (including information taken from e-mails and from calls and their transcripts) in these systems. We use these systems, including their automation and AI-assisted features, to prepare, conduct, document and follow up on our communication and business relationships. We do not use this data for newsletters or advertising without a separate legal basis.

The legal basis is Art. 6 (1) sentence 1 lit. b GDPR where the processing serves the performance of a contract or pre-contractual measures, and otherwise Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in responding to enquiries and in maintaining and managing our business relationships). We have concluded data processing agreements pursuant to Art. 28 GDPR with Google and Attio. We store this data for as long as it is required for the respective relationship or communication and, in the case of contacts stored in our customer relationship management, until you request its deletion, in each case subject to statutory retention obligations (see section VII below). On the transfer of data to third countries, see section VI below.

7. Events, Webinars and Demos

If you register for or take part in an event, webinar or product demonstration offered by us, we process the data you provide for registration (such as name, e-mail address, organization and role) as well as data on your participation. We use this data to organize and conduct the event and to follow up on it.

The legal basis is Art. 6 (1) sentence 1 lit. b GDPR where the event serves pre-contractual measures or the performance of a contract, and otherwise Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in presenting our products and services and in conducting events). Where we use service providers to organize or conduct events, they act as our processors on the basis of a data processing agreement pursuant to Art. 28 GDPR.

8. Accounting and Tax

In order to comply with our commercial and tax obligations and to process our business relationships, we process master data, contract data and payment data of our customers, suppliers and their contact persons. For accounting and bookkeeping purposes we use the services of DATEV eG, Paumgartnerstr. 6-14, 90329 Nuremberg, Germany, and of Lexware GmbH & Co. KG (lexoffice), Munzinger Str. 9, 79111 Freiburg, Germany.

The legal basis is Art. 6 (1) sentence 1 lit. c GDPR (compliance with legal obligations, in particular under commercial and tax law) and Art. 6 (1) sentence 1 lit. b GDPR (performance of a contract). Where we engage these and other service providers as processors, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR. This data is retained in accordance with the statutory retention obligations (see section VII below).

9. Other Processing Purposes

Compliance with legal requirements: We also process your personal data to comply with other legal obligations that may apply to us in connection with our business activities. These include, in particular, retention periods under commercial, trade or tax law. We process your personal data in accordance with Art. 6 (1) sentence 1 lit. c GDPR (legal basis) for the fulfillment of a legal obligation to which we are subject.

Law enforcement: We also process your personal data in order to be able to assert our rights and enforce our legal claims. Likewise, we process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent necessary to prevent or prosecute criminal offences. In this context, we process your personal data to protect our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR (legal basis), insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal offences (legitimate interest).

Consent: If you have given us consent to process personal data for certain purposes (e.g. sending information material and offers), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the applicability of the GDPR, i. e. before 25.5.2018. Please note that the revocation is only effective for the future and processing until then is not affected.

V. Recipients of Data

Within bayshore AI GmbH, those internal bodies and departments receive access to your data that need it to fulfil our contractual and legal obligations and the purposes described above.

In addition, we use carefully selected service providers who process personal data on our behalf as processors pursuant to Art. 28 GDPR and who are bound by our instructions. These include, in particular, our website hosting provider (Webflow), our content delivery and video hosting provider (Bunny), our provider of e-mail, calendar and video conferencing services (Google), our customer relationship management provider (Attio) and our accounting service providers (DATEV and lexoffice).

We further transmit personal data to recipients that act as independent controllers where this is necessary, in particular to our tax advisors and legal advisors, who are subject to professional confidentiality obligations, as well as to public authorities and courts where we are legally obliged to do so. We limit the transfer of your personal data to what is necessary, taking into account the requirements of data protection law.

VI. Data Transfer to Third Countries

Some of the service providers we use are established in a third country or process data in a third country, in particular the USA. Where personal data is transferred to the USA, this is based on the EU-US Data Privacy Framework where the relevant provider is certified under it, and the European Commission has issued an adequacy decision certifying a level of protection comparable to the EEA standard. In particular, Webflow and Google are certified under the EU-US Data Privacy Framework.

Where data is transferred to providers in third countries that are not covered by an adequacy decision, or in addition to such a decision, we ensure an appropriate level of protection through the EU Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR together with additional protective measures. Our customer relationship management provider (Attio) is established in the United Kingdom, for which the European Commission has issued an adequacy decision, and uses infrastructure that may process data in third countries on the basis of such safeguards. Our content delivery and video hosting provider (Bunny) is established in the European Union.

Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organizations, unless explicitly stated otherwise in this privacy policy.

VII. Duration of Data Storage

We initially process and store your personal data for the duration for which the respective purpose of use requires corresponding storage (see above for the individual processing purposes). If applicable, this also includes the periods of the initiation of a contract (pre-contractual legal relationship) and the processing of a contract. On this basis, personal data is regularly deleted as part of the fulfillment of our contractual and/or legal obligations, unless its further processing for a limited period is necessary for the following purposes:

• Fulfillment of statutory retention obligations, e.g. those arising from the German Commercial Code (sections 238, 257 (4) HGB) and the German Fiscal Code (section 147 (3) and (4) AO). The periods specified there for storage and documentation are up to ten years.

• Preservation of evidence taking into account the statute of limitations. According to Sections 194 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

VIII. Data Security

Personal data is protected by us by means of suitable technical and organizational measures in order to ensure an appropriate level of protection and to safeguard the personal rights of the persons concerned. The measures taken serve, among other things, to prevent unauthorized access to the technical equipment used by us and to protect personal data from unauthorized disclosure by third parties. In particular, this website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties. Nevertheless, we would like to point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. A complete protection of data against access by third parties is therefore not possible.

IX. Your Rights as a Data Subject

You are entitled to the following rights as a data subject under the statutory conditions:

Right to information: You are entitled to request confirmation from us at any time within the scope of Art. 15 GDPR as to whether we are processing personal data relating to you; if this is the case, you are also entitled within the scope of Art. 15 GDPR to receive information about this personal data as well as certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards) and a copy of your data. The restrictions of § 34 BDSG apply. Right to rectification: You are entitled to demand that we rectify the personal data stored about you if it is inaccurate or incorrect, in accordance with Art. 16 GDPR.

Right to erasure: You are entitled, under the conditions of Art. 17 GDPR, to demand that we delete personal data relating to you without delay. The right to erasure does not apply if the processing of the personal data is necessary, for example, to comply with a legal obligation (e.g. legal retention obligations) or to assert, exercise or defend legal claims. In addition, the restrictions of § 35 BDSG apply.

Right to restrict processing: You are entitled to request that we restrict the processing of your personal data under the conditions of Art. 18 GDPR. Right to data portability: You are entitled, under the conditions of Art. 20 GDPR, to demand that we hand over to you the personal data concerning you that you have provided to us in a structured, common and machine-readable format.

Right of withdrawal: You may withdraw your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us before the applicability of the GDPR, i. e. before 25.5.2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. To declare the revocation, an informal communication e.g. by email to us is sufficient.

Right of objection: You have the right to object to the processing of your personal data under the conditions of Art. 21 GDPR, so that we must stop processing your personal data. The right to object exists only within the limits provided for in Art. 21 GDPR. In addition, our interests may conflict with the termination of processing, so that we are entitled to process your personal data despite your objection. We will consider an objection to any direct marketing measures immediately and without weighing the existing interests again.

Information about your right to object according to Art. 21 GDPR: You have the right to object at any time to the processing of your data that is carried out on the basis of Art. 6 (1) sentence 1 lit. f GDPR (data processing on the basis of a balance of interests) or Art. 6 (1) sentence 1 lit. e GDPR (data processing in the public interest), if there are grounds for doing so that arise from your particular situation.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

The objection can be made without formalities and should preferably be addressed to: bayshore AI GmbH, Theresienstr. 43, 80333 Munich, Germany. E-mail: hq@bayshore.ai

Right to complain to a supervisory authority: Under the conditions of Art. 77 GDPR, you have the right to lodge a complaint with a competent supervisory authority. In particular, you can address a complaint to the supervisory authority responsible for us, the Bavarian State Office for Data Protection Supervision (BayLDA), Wagmüllerstr. 18, 80538 Munich, Germany, tel. +49 (0)89 212672-0, e-mail poststelle@lda.bayern.de, or any other competent supervisory authority. A list of data protection supervisory authorities and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Other concerns: For further data protection questions and concerns, please contact our data protection officer. Corresponding inquiries as well as the exercise of your aforementioned rights should, if possible, be sent in writing to our address given above or by e-mail to paul.welter@bayshore.ai.

X. Obligation to Provide Data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we may not be able to provide you with unrestricted access to our website, answer your inquiries, arrange or conduct a call with you, or enter into or perform a business relationship with you. Personal data that we do not necessarily need for the above-mentioned processing purposes are marked accordingly as voluntary information.

XI. Automated Decision Making/Profiling

We do not use automated decision making or profiling (an automated analysis of your personal circumstances).

XII. Actuality and Change of this Privacy Policy

This privacy policy is currently valid and has the status June 2026.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this privacy policy.