Last updated: 8 June 2026

The protection of information relating to you, such as your name, your telephone number and your email or IP address ("personal data"), is important to us. Therefore, we operate this website and our services in accordance with the applicable data protection laws, in particular the EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG").

You will find below an explanation of how we handle your personal data in this context.

1. Who is the controller?

Valuecase GmbH, Axel-Springer-Platz 3, 20355 Hamburg, Germany E-mail: dataprivacy@valuecase.com

Data Protection Officer: We have assessed the requirements of Art. 37 GDPR and § 38 BDSG and are not required to appoint a Data Protection Officer. For any data protection matter, please contact us at dataprivacy@valuecase.com.

2. What do we do with your personal data?

(a) When you use our website or contact us

The provision of this website requires the processing of personal data, such as your IP address. This processing is necessary for the retrieval of the content displayed on this website (including its functions) and due to IT security measures.

You also have the option of contacting us, for example, via our contact form. For this purpose, we process the personal data that you provide to us.

Legal basis. The processing of your personal data to provide this website and to communicate with you is based on our overriding legitimate interest (Art. 6(1)(f) GDPR). For the provision of this website it is technically necessary that we process certain personal data (e.g. the IP address). For your communication with us, it is necessary that we process your respective personal data.

Recipient categories. We use service providers to provide our website. We transmit personal data to these service providers for this purpose. These service providers are contractually obligated by us to exercise the same care in processing personal data as we do ourselves. Some service providers that we use also process your personal data outside the EU/EEA (see the section "Data transfer to third countries" below).

(b) If you use our online service Valuecase

You can arrange a product demo for our online service Valuecase ("Valuecase") via our website. For this purpose, we collect the personal data that you provide to us.

If you wish to use Valuecase and enter into a usage agreement with us, we process the personal data that is required for the initiation, execution and settlement of the corresponding usage agreement (Art. 6(1)(b) GDPR).

Note on processing on behalf of customers. Where we process personal data on behalf of a Valuecase customer in the course of providing the Valuecase service, we act as a processor under Art. 28 GDPR. That processing is governed by the data processing agreement (DPA / Auftragsverarbeitungsvertrag) concluded with the respective customer, not by this privacy policy. This privacy policy describes only the processing for which Valuecase is the controller.

Recipient categories. We use service providers to provide Valuecase. We transfer personal data to these service providers for this purpose. These service providers are contractually obligated by us to exercise the same care in processing personal data as we do ourselves. Some service providers we use also process your personal data outside the EU/EEA (see the section "Data transfer to third countries" below).

(c) If you are invited to use Valuecase by one of our Valuecase customers

Our Valuecase customers can use our personalized online customer area ("Customer Area") to cover the entire procurement process.

For this purpose, we process — on behalf of the respective Valuecase customer — the personal data required for the technical provision (incl. the functions and IT security) and the use of Valuecase (e.g. the respective IP address).

We also process the personal data that a Valuecase customer and/or a third party authorized by the customer provides to us. Valuecase customers may also invite third parties to use their respective customer area. In these cases, we act as a processor for the respective Valuecase customer under Art. 28 GDPR, and the relevant DPA applies.

Legal basis and balancing of interests. Where we are responsible (controller) for a corresponding data processing, we process the corresponding personal data for the initiation, implementation and execution of the corresponding contract with you (Art. 6(1)(b) GDPR), or on the basis of our overriding legitimate interest in providing the Customer Area and communicating through it (Art. 6(1)(f) GDPR). As part of the necessary balancing of interests, we have weighed your confidentiality interest and that of any authorized third party against our interest in providing the Customer Area; your interest takes a back seat, as we could otherwise not provide this service.

Recipient categories. As above; see "Data transfer to third countries."

(d) Our Valuecase AI features

Valuecase offers AI-assisted features ("Valuecase AI") within the product — for example, generating, summarizing, or searching content at a user's direction. To provide these features, relevant content may be processed by AI model providers acting as our sub-processors.

We use large-language-model providers hosted in the US & Europe. These sub-processors are contractually bound not to use the data to train or improve their general models and to process it only to deliver the feature. We do not use personal data processed through Valuecase AI to train our own or third-party generalized AI models.

Where Valuecase AI processes personal data on behalf of a customer, we act as a processor and the customer DPA applies.

(e) Google Workspace connectors (Gmail, Drive, and Calendar)

Valuecase offers optional connectors that let you link your own Google account so that Valuecase's in-product AI assistant can find relevant emails, files, and calendar entries in response to your prompts and bring the matching items into your Valuecase workspace for you to use. These connectors are optional and are only activated after you grant authorization through Google's OAuth consent screen. You can disconnect them at any time.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

1. Data we access. We request access only to the connectors you enable, and only for the Google account(s) you connect:

• Gmail connector — reads the content and metadata of your Gmail messages, in order to find messages relevant to your prompt. Scope: https://www.googleapis.com/auth/gmail.readonly
• Drive connector — reads the content and metadata of files in your Google Drive, in order to find files relevant to your prompt. Scope: https://www.googleapis.com/auth/drive.readonly
• Calendar connector — reads and creates calendar events, in order to find relevant events and to create events at your direction.[Scope: https://www.googleapis.com/auth/calendar

2. How we use it. Google user data is accessed solely to provide the feature you have requested: when you submit a prompt, our in-product AI assistant searches your connected Gmail, Drive and/or Calendar for matching items and surfaces or imports the matching content into your Valuecase workspace so you can work with it. For the Calendar connector, the assistant can also create calendar events at your direction. We do not use Google user data for any other purpose, and we do not use it for advertising.

3. Data sharing. We do not sell your Google user data and do not share it for advertising or with data brokers. We share it only with the infrastructure providers and sub-processors strictly necessary to operate the feature (e.g. our cloud hosting provider and the AI model provider that powers the assistant), under contractual confidentiality and data-protection obligations, and only to deliver the feature to you.

4. Limited Use commitment. Valuecase's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

• We do not use, transfer, or sell Google user data — including raw data and any data aggregated, anonymized, or derived from it — to develop, improve, or train generalized or non-personalized AI/ML models.
• We do not allow humans to read Google user data, except (a) with your affirmative agreement for specific messages or files, (b) where necessary for security purposes (such as investigating abuse) or to comply with applicable law, or (c) where the data has been aggregated and anonymized and is used in compliance with the policy.
• We use Google user data only to provide or improve the user-facing features you have requested.

5. Data storage and protection. Google user data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted to authorized personnel on a least-privilege, need-to-know basis, protected by multi-factor authentication and logged. We maintain an ISO/IEC 27001:2022-certified information security management system and we operate a documented incident-response process.

6. Data retention and deletion. Items you import into Valuecase through a connector are retained for the duration of your organization's contract with Valuecase and are deleted within 90 days after termination of that contract. OAuth tokens/credentials are revoked immediately on disconnect.

You can withdraw access at any time by:

• disconnecting the connector within Valuecase, which revokes our ongoing access; and/or
• revoking access directly in your Google Account security settings at https://myaccount.google.com/permissions.

You may request deletion of Google user data held by Valuecase at any time by contacting dataprivacy@valuecase.com, and we will delete it within 30 days unless we are legally required to retain it.

(f) If you follow us on social media platforms

You have the option of following us on LinkedIn and/or on other social media platforms of third-party service providers. For this purpose, we handle the personal data that you provide to us or that is provided to us by the respective platform operator about you. You can control the privacy settings yourself within the framework of each social media platform.

Legal basis. We process your personal data within the scope of our social media offerings on the basis of our overriding legitimate interest (Art. 6(1)(f) GDPR). For the provision of our social media offerings, it is technically necessary that we process certain personal data (e.g. the IP address; personal data that you have provided to the respective platform operator or to us).

Joint controllership. For our pages on platforms such as LinkedIn and Meta, we and the respective platform operator are joint controllers under Art. 26 GDPR with respect to the processing of page-insights/statistics data. Details of the respective joint-controller arrangements and the platforms' processing are available from the platform operators: LinkedIn's Page Insights Joint Controller Addendum at https://legal.linkedin.com/pages-joint-controller-addendum, and Meta's Page Insights Controller Addendum at https://www.facebook.com/legal/terms/page_controller_addendum.

Recipient categories. The data you transmit to us as part of our social media offerings is also automatically transmitted to the respective platform operators (see "Data transfer to third countries").

(g) If you give us advertising consent

If you give us your advertising consent, we will handle your personal data for our own advertising purposes. Your declaration of consent is the legal basis (Art. 6(1)(a) GDPR). You can revoke your consent at any time with effect for the future; previous processing remains unaffected.

(h) If you have not objected to the use of your e-mail address for similar goods or services

If we receive your e-mail address in connection with the provision of our services, we will process it in order to send you advertising for our own similar goods or services, unless you have objected. You may object at any time at no cost other than transmission costs, by writing to the contact details above or using the opt-out link in any advertising email. The legal basis is our legitimate interest in connection with § 7(3) UWG.

(i) When you apply to us

You can apply for a job with us. For this purpose, we process the personal data that you provide as part of your application, for the initiation, implementation and execution of the corresponding (pre-)contractual relationship (Art. 6(1)(b) GDPR, § 26 BDSG).

(j) If we sell our company and/or a service

We reserve the right to sell our company and/or a service in whole or in part, and may transfer your personal data to a third party in compliance with data protection requirements. We will inform you with a notice period of at least 30 days. The legal basis is our overriding legitimate interest (Art. 6(1)(f) GDPR).

(k) When we anonymize your personal data

We anonymize your personal data in order to evaluate it for statistical purposes. The legal basis is our overriding legitimate interest (Art. 6(1)(f) GDPR). The GDPR and the BDSG do not apply to anonymous data.

(l) Cookies, identifiers and analytics tools

We use cookies/identifiers and analytics tools to provide our website and Valuecase. Some providers we use also process your personal data outside the EU/EEA (see "Data transfer to third countries").

Cookies are data records stored by a web server on your end device. When our website is called up again with the same device, these are sent back either to our website ("first-party cookie") or to another website to which the cookie belongs ("third-party cookie").

Legal basis.

• For technically necessary cookies/identifiers, the legal basis is § 25(2) No. 2 TDDDG (formerly TTDSG) together with our legitimate interest (Art. 6(1)(f) GDPR): storing or accessing information on your device is strictly necessary to provide the service you have expressly requested.
• For all other cookies/identifiers and tracking technologies (in particular analytics and marketing tools), the legal basis is your prior consent (§ 25(1) TDDDG; Art. 6(1)(a) GDPR). These technologies are only set after you have given consent through our consent banner, and you can withdraw your consent at any time with effect for the future.

Withdrawing consent. You can withdraw your consent at any time via the consent settings on our website and/or by deleting cookies in your browser settings. For technical reasons, deleting cookies via the browser applies only to the specific device used.

Analytics and marketing tools we use (only after consent):

• Google Analytics 4 — a web analytics service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Google LLC (USA). Google Analytics uses cookies to help us analyze how users use the site. Google Analytics 4 does not log or store individual IP addresses; IP data is used only transiently to derive an approximate location. The information generated may be transmitted to and stored on Google servers, including in the USA (see "Data transfer to third countries"). More information: https://policies.google.com/privacy. You can withdraw consent at any time via our consent banner.
• Google Tag Manager — a tag-management service of Google Ireland Limited / Google LLC. Tag Manager itself does not collect personal data but manages the tags that may do so; the tools triggered are described in this policy. More information: https://policies.google.com/privacy.
• Mixpanel — a product-analytics service of Mixpanel, Inc. (USA). Mixpanel uses cookies to analyze usage (e.g. pages visited, elements clicked, device/browser information and a pseudonymized user ID). We use Mixpanel's EU Data Residency program, under which this data is collected, processed and stored in Mixpanel's EU data center (Netherlands). More information: https://mixpanel.com/legal/privacy-policy/.
• Intercom — a customer-messaging and analytics platform of Intercom R&D Unlimited Company (Ireland) and Intercom, Inc. (USA), used to understand usage and to communicate with you (e.g. via in-product or email messages). We use Intercom's EU regional data hosting, under which customer and usage data is hosted in Intercom's EU data center in Dublin, Ireland. More information: https://www.intercom.com/legal/privacy.
• Microsoft Clarity — a product-analytics service of Microsoft capturing usage via behavioral metrics, heatmaps and session replay, using first- and third-party cookies. Data may be transmitted to and stored on Microsoft servers, including in the USA (see "Data transfer to third countries"). More information: https://privacy.microsoft.com/privacystatement.

3. How long do we store your personal data?

We delete your personal data when the purpose of storage no longer applies and no statutory provision requires retention. Where deletion is not possible, processing is restricted. As guidance:

• Contact and inquiry data: deleted once your request is dealt with and no statutory retention period applies.
• Contractual / accounting data: retained for the statutory retention periods (generally 6–10 years under the German Commercial Code (HGB) and Fiscal Code (AO)).
• Imported Google Workspace connector data: retained for the duration of the contract and deleted within 90 days after termination (see section 2(e)).
• Application data: deleted within 6 months after the conclusion of the application process, unless you consent to longer storage or we enter into an employment relationship.
• Cookie/analytics data: retained for the period stated in our cookie/consent settings.

4. What are your data subject rights?

Please contact us at the details above to exercise your rights and to withdraw any consent.

1. Right of access (Art. 15 GDPR) to the personal data we process about you.
2. Right to rectification and completion (Art. 16 GDPR).
3. Right to erasure (Art. 17 GDPR), unless we are legally obliged or entitled to continue processing.
4. Right to restriction of processing (Art. 18 GDPR).
5. Right to object (Art. 21 GDPR), in particular to processing for direct marketing or profiling, and — where processing is based on a balancing of interests — on grounds relating to your particular situation.
6. Right to data portability (Art. 20 GDPR) where processing is based on consent or a contract.
7. Right to withdraw consent (Art. 7(3) GDPR) at any time with effect for the future; processing before withdrawal remains lawful.
8. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for us is the Hamburg Commissioner for Data Protection and Freedom of Information (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit). You may also contact the authority in your place of residence.

5. In what context do we create automatic profiles?

No automated decision-making within the meaning of Art. 22 GDPR, including profiling, takes place.

6. Data transfer to third countries

In some cases, personal data is transferred to recipients in third countries (i.e. countries outside the EU/EEA), including the USA. Where this applies to the service providers named in this policy:

• Google Analytics and Google Tag Manager (Google LLC, USA) and Microsoft Clarity (Microsoft Corporation, USA): data may be transferred to and processed on servers in the USA.
• Mixpanel (Mixpanel, Inc., USA) and Intercom (Intercom, Inc., USA): under each provider's EU data-residency option, your main analytics and usage data is stored and processed within the EU (Mixpanel: Netherlands; Intercom: Ireland — see section 2(l)) and is therefore not transferred to a third country. Only a limited amount of operational data — e.g. account administration, billing and support, and any remote access by the provider's US-based personnel — may still be processed in the USA. This residual operational processing is the only third-country transfer that occurs in respect of these two providers.

Each of these providers — Google LLC, Microsoft Corporation, Mixpanel, Inc. and Intercom, Inc. — is currently self-certified under the EU–US Data Privacy Framework (DPF). Transfers to them are therefore based on the European Commission's DPF adequacy decision of 10 July 2023 (Art. 45 GDPR). As an additional safeguard, and for any transfer to a recipient that is not — or ceases to be — DPF-certified, we rely on the European Commission's Standard Contractual Clauses (Art. 46 GDPR), supplemented by additional measures where necessary, or on another legal basis under Art. 49 GDPR (e.g. your explicit consent, or performance of a contract). We monitor our providers' continued DPF certification status.

7. Data security

We take appropriate technical and organizational measures (Art. 32 GDPR) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These include encryption of data in transit (TLS 1.2 or higher) and at rest; role-based access controls on a least-privilege, need-to-know basis with multi-factor authentication and access logging; regular vulnerability scanning and penetration testing; secure software development practices; staff confidentiality obligations and security training; sub-processor due diligence; and a documented incident-response and data-breach notification process. We maintain an information security management system certified to ISO/IEC 27001:2022. Our certificate and further security documentation are available on request trust.valuecase.com .

This privacy policy may be updated from time to time. The date of the current version is shown at the top.