Privacy Policy

1. Controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:

Mark Hollering
c/o COCENTER
Koppoldstr. 1
86551 Aichach
Germany

Email: contact@patchmygear.com

(“we”, “us”)

This privacy policy applies to the website:

PatchMyGear – patchmygear.com
(hereinafter referred to as the “Website”).

2. General information on data processing

We process personal data of our users only insofar as this is necessary to provide a functional Website as well as our content and services, or if you have given us your consent.

The processing of personal data is carried out in accordance with the provisions of the GDPR and the applicable national data protection laws (in particular the German Federal Data Protection Act – BDSG and, where applicable, the German Telecommunications Digital Services Data Protection Act – TDDDG).

Legal bases

Unless stated otherwise in this privacy policy, we rely in particular on the following legal bases:

Art. 6(1)(b) GDPR
Processing for the performance of a contract with you or in order to take steps at your request prior to entering into a contract (for example, when you contact us to request an offer).

Art. 6(1)(f) GDPR
Processing based on our legitimate interests, e.g. ensuring a secure, stable and user-friendly provision of the Website, as well as minimal, privacy-friendly web analytics.

Art. 6(1)(a) GDPR
Where we request your consent for specific processing operations (e.g. optional tools), the processing is based on that consent.

Where we store information on, or access information from, your end device (e.g. cookies), the legal basis is Section 25 TDDDG (see Section 9 below).

3. Hosting of the Website (Vercel)

Our Website is hosted by:

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA
(“Vercel”) Vercel Inc.

When you visit our Website, personal data (such as your IP address and browser information) are processed on Vercel’s servers.

We have concluded a data processing agreement (DPA) with Vercel pursuant to Art. 28 GDPR, under which Vercel acts as our processor and is contractually obliged to process personal data only in accordance with our instructions and in compliance with the GDPR.

Third-country transfers (USA) & EU–US Data Privacy Framework

As Vercel is based in the USA, a transfer of personal data to the United States cannot be excluded. Vercel participates in the EU–US Data Privacy Framework (DPF). On this basis, the European Commission has adopted an adequacy decision pursuant to Art. 45 GDPR, confirming that, for certified companies, the USA provides an adequate level of data protection comparable to that in the EU.

Further information on data protection at Vercel can be found in Vercel’s Privacy Policy.

We use Vercel on the basis of our legitimate interest in a secure, efficient and scalable provision of our Website (Art. 6(1)(f) GDPR).

4. Backend services, database and file storage (Supabase)

For the operation of our backend services, as well as for database services and file storage, we use:

Supabase, Inc.
(“Supabase”)

Supabase is used in particular to store and manage data required for the operation of our services.

When content is retrieved directly from Supabase storage, technical connection data (in particular IP address and request metadata) are processed to deliver the requested content. We ensure that content made available for direct retrieval does not contain personal data unless such publication is intended and legally permissible.

Legal basis:

• Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient operation of our backend services and the provision of Website functionality); and
• where applicable, Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

We have concluded a data processing agreement (DPA) with Supabase pursuant to Art. 28 GDPR, under which Supabase acts as our processor insofar as it processes personal data on our behalf and under our instructions.

Third-country transfers

5. Access data and server log files

When you access our Website, your browser automatically transmits information to our hosting provider’s server, which is stored temporarily in server log files. This may include:

• IP address of your device
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Accessed page / file and amount of data transferred
• Message whether the request was successful (HTTP status code)
• Referrer URL (the previously visited page)
• Browser type and version
• Operating system and its interface

These data are processed for the following purposes:

• Ensuring a smooth connection to the Website
• Ensuring comfortable use of our Website
• Evaluation of system security and stability
• Technical administration of the hosting environment

The legal basis for this data processing is Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes listed above.

Log files are deleted after an appropriate retention period, unless a longer storage is required for evidentiary purposes (e.g. in case of misuse or fraud), in which case the data are deleted after the incident has been conclusively clarified.

6. Contact via email or contact form

If you contact us by email or via a contact form on the Website, we process the personal data you provide (e.g. name, email address, content of the message) in order to handle your enquiry and any follow-up communication.

Purpose: Handling and replying to your enquiry, and any subsequent communication.

Legal basis:

• Art. 6(1)(b) GDPR, where your enquiry is related to (pre-)contractual measures.
• Art. 6(1)(f) GDPR in all other cases (our legitimate interest in processing and answering enquiries).

We will delete the data arising in this context after storage is no longer necessary for the respective purpose (e.g. once your enquiry has been fully answered), unless statutory retention obligations require a longer storage period.

7. Bot protection for forms (Cloudflare Turnstile)

To protect our forms against automated submissions (spam and bot abuse) and to ensure the security and availability of our Website, we use Cloudflare Turnstile, a service provided by:

Cloudflare, Inc.
101 Townsend St
San Francisco, CA 94107
USA
(“Cloudflare”)

When Turnstile is used, Cloudflare processes technical and security-related information (in particular IP address, device and browser characteristics and related connection data) in order to detect and prevent abusive or automated requests.

Cookies / similar technologies: Depending on the configuration and risk assessment, Cloudflare may use technically necessary cookies or similar technologies for security purposes (e.g. to support abuse prevention and to reduce repeated challenges).

Legal basis:

• Art. 6(1)(f) GDPR (legitimate interest in preventing misuse, ensuring IT security and maintaining the availability of our services).
• Section 25(2) TDDDG (storage/access on the end device insofar as strictly necessary to provide the requested security function).

Third-country transfers: As Cloudflare is based in the USA, a transfer of personal data to the United States cannot be excluded. Where required, such transfers are safeguarded in accordance with the GDPR (e.g. by Standard Contractual Clauses and/or other appropriate safeguards, as applicable).

8. Web analytics with Vercel Web Analytics

We use Vercel Web Analytics, a service provided by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA.

How Vercel Web Analytics works and which data are processed

Vercel Web Analytics enables us to analyse how our Website is used and to improve it. The service is designed to be privacy-friendly and does not use cookies:

• No third-party cookies are set.
• Instead, visitors are distinguished using a hash generated from the incoming request.
• This hash is only used to distinguish page views within a single session of up to 24 hours; afterwards, the underlying session data are discarded.

With each page view, the following data may be processed as anonymised or pseudonymised usage data:

• Accessed URL and dynamic paths
• Referrer URL (the website you visited before ours)
• Query parameters (insofar as not filtered or shortened by us)
• Timestamp of the page view
• Rough geolocation (e.g. country, region, city)
• Device type (desktop, tablet, mobile)
• Operating system and version
• Browser type and version

According to Vercel, the data are used only to provide aggregated statistics and do not enable the reconstruction of full individual browsing sessions across different websites.

No transmission of plain personal identifiers

We configure Vercel Web Analytics so that no plain personal identifiers (such as names, email addresses, concrete user IDs, order numbers, tokens, etc.) are transmitted in URLs or custom events. Where necessary, we use mechanisms to redact or filter sensitive parameters before data are sent to Vercel.

Legal basis

We use Vercel Web Analytics on the basis of our legitimate interest in accordance with Art. 6(1)(f) GDPR. This interest lies in the statistical analysis of the use of our Website in order to optimise its content, functions and user experience, while avoiding invasive tracking methods and third-party cookies.

Due to the privacy-friendly design (no cookies, short retention period, no cross-site profiling), we consider that no overriding interests of the data subjects oppose this processing.

Objection options (browser / system-level)

You can to some extent object to analytics and profiling in your browser by:

• enabling “Do Not Track” (DNT) in your browser settings; or
• using technical measures such as content blockers.

If we provide a specific opt-out option for Vercel Web Analytics on our Website in the future, we will inform you about it here.

9. Use of cookies

At present, we do not use non-essential cookies for analytics or marketing purposes on our Website.

Technically necessary cookies (e.g. to display the Website correctly or to store your session preferences) may be used without your consent, in particular where they are required to ensure the secure and technically error-free operation of the Website and its functions (e.g. security and abuse prevention, including bot protection for forms; see Section 7). The legal basis in such cases is Art. 6(1)(f) GDPR in conjunction with Section 25(2) TDDDG, where applicable (our legitimate interest in the technically error-free, secure and optimised operation of the Website).

Should we introduce additional cookies or similar technologies for analytics or marketing purposes in the future, we will inform you via an appropriate cookie / consent banner and – where required – obtain your consent beforehand (Art. 6(1)(a) GDPR, Section 25(1) TDDDG).

10. Recipients of personal data / processors

To provide this Website and the related functionality, we may engage additional external service providers (e.g. email providers, IT service providers). These service providers process personal data exclusively on our behalf and on the basis of a data processing agreement in accordance with Art. 28 GDPR.

We only disclose personal data to other recipients if:

• this is necessary for the performance of a contract with you (Art. 6(1)(b) GDPR),
• we are legally obliged to do so (Art. 6(1)(c) GDPR), or
• you have given your consent (Art. 6(1)(a) GDPR).

11. Storage periods

Unless a more specific storage period is stated in this privacy policy, we store personal data only for as long as is necessary for the respective purposes or as required by statutory retention obligations.

Once the processing purpose ceases to apply or statutory retention periods expire, the personal data will be deleted or anonymised in accordance with the legal requirements.

For Vercel Web Analytics, the underlying session data are discarded after a maximum of 24 hours. We only have access to aggregated statistics, not to individual session logs.

12. Your rights as a data subject

As a data subject, you have the following rights under the GDPR:

• Right of access (Art. 15 GDPR)
  You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to those data and further information.
• Right to rectification (Art. 16 GDPR)
  You have the right to obtain the rectification of inaccurate personal data and to have incomplete data completed.
• Right to erasure (Art. 17 GDPR)
  You have the right to obtain the erasure of personal data concerning you, unless statutory retention obligations or other legal grounds require further storage.
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
  Where we process data on the basis of Art. 6(1)(f) GDPR (legitimate interests), you have the right to object, on grounds relating to your particular situation, at any time to such processing. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
• Right to withdraw consent (Art. 7(3) GDPR)
  Where processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future.

To exercise your rights, you can contact us at any time:
contact@patchmygear.com

13. Right to lodge a complaint with a supervisory authority

If you believe that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

14. Obligation to provide personal data

Some personal data are technically or contractually necessary for the operation of our Website and for handling your enquiries (e.g. IP address, browser data, contact details). Without this data, we may not be able to provide you with all features of the Website or respond to your requests.

15. Automated decision-making / profiling

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

16. Data security (TLS / SSL encryption)

We use TLS / SSL encryption on our Website to protect the transmission of confidential content (for example, enquiries that you send to us). You can recognise an encrypted connection by the character string “https://” and the lock symbol in the address bar of your browser.

17. Changes to this privacy policy

We may update this privacy policy in the future, for example if we implement new services or functionalities on the Website or if the legal framework changes.

You can access the current version of this privacy policy at any time at:
https://patchmygear.com/privacy

Last updated: March 22, 2026