Seroton Privacy Policy
September 26, 2025
Find a privacy policy for the use and processing of data in the Seroton app here.
This privacy policy explains how personal data is processed on the website www.seroton.com by Seroton GmbH. Seroton GmbH only processes data that is necessary for the provision and security of the website and its services, following the principle of data minimization. “Personal data” are all information relating to an identified or identifiable natural person (data subject), such as name, address, telephone number, date of birth, email address, or IP address. Information that cannot be traced to a specific person, for example, due to anonymization, is not considered personal data.
1. Data Controller
The person responsible for processing personal data on the website within the meaning of the General Data Protection Regulation (GDPR) is:
Seroton GmbH
Richard-Stücklen-Straße 19
91710 Gunzenhausen
For data protection inquiries or to exercise your rights as a data subject, please contact dataprotection@seroton.com.
2. Data Protection Officer
The data protection officer assigned is:
Kertos GmbH
Brienner Straße 41
80333 Munich
Germany
Email: dsb@kertos.io
3. Data Processing on Our Website
3.1 Provision of the Website
Purpose of Processing:
We process your data in order to
ensure the reliable operation of the website
provide a user-friendly access to our website
and maintain IT security
Recipients:
Framer B.V., Singel 542, 1017 AZ Amsterdam, Netherlands (Providing and operating a web-based platform for design and development of websites, prototypes, and interactive user interfaces)
Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (Providing cloud infrastructure and services for storage, processing and management of data as well as the operation of web applications and services)
Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; Shopify Inc., 151 O’Connor Street, Ground Floor, Ottawa, Ontario, K2P 2L8, Canada (Operation and provision of the e-commerce platform)
Processed Data:
IP address of the requesting device
Method (e.g., GET, POST), date and time of the request
Address of the accessed website and path of the requested file
Previously accessed or requesting website/file (HTTP referrer)
Information about the browser and operating system used
Version of the HTTP protocol, HTTP status code, size of the delivered file
Request information such as language, Content-Type, Content-Encoding, character encodings
Legal Basis: Art. 6 para. 1 lit. f GDPR. Processing of the mentioned data is required for the provision of the website as well as to ensure secure and user-friendly operation.
Retention Duration: The collected data will be deleted as soon as they are no longer required for the operation of the website, but at the latest after 30 days, unless there is a legal obligation to retain them.
Further Information: https://www.framer.com/legal/privacy-statement/ https://aws.amazon.com/compliance/data-privacy/
https://www.shopify.com/legal/privacy
https://www.squarespace.com/privacy
3.2 Google Fonts
Purpose: Displaying website content and fonts
Recipients: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Processed Data:
Access data (e.g., IP address, error time)
Device information (e.g., device type, operating system)
Browser data (e.g., browser type, version)
Location data (e.g., country based on IP address)
Legal Basis:
Retention Duration: The data is deleted once the purpose of display is achieved.
Third-Country Transfer: Data can be transferred to servers in the USA. Google is certified under the EU-U.S. Data Privacy Framework, which can allow the transfer based on Art. 45 GDPR. Additionally, standard contractual clauses (SCCs) have been established with Google.
Further Information: https://policies.google.com/privacy
3.3 Newsletter
Purpose: Sending email newsletters to inform about products, services, and company activities
Recipients: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA (Creation of online forms and surveys)
Processed Data:
Contact details (e.g., email address, name)
Technical data (e.g., time of access, IP address)
Usage data (e.g., open rates, click behavior)
Legal Basis: Consent under Art. 6 para. 1 lit. a GDPR
Retention Duration: The data is stored as long as you are subscribed to the newsletter. After unsubscribing, your data will be deleted unless legal retention obligations conflict.
Third-Country Transfer: It cannot be excluded that the data will be forwarded to a HubSpot server in the USA and stored there. Google has subjected itself to the EU-US Data Privacy Framework and is accordingly certified. Therefore, such data transmissions are based on the legal basis of Art. 45 GDPR.
Further Information: You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link at the end of each newsletter or by sending us an email to the address provided above. https://legal.hubspot.com/privacy-policy.
3.4 Purchase of Products
Purpose: Processing of purchase contracts and delivery of ordered products
Recipients:
Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for Google Pay)
Apple Distribution International Ltd., Hollyhill Industrial Estate, Cork, Ireland (for Apple Pay)
Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom
Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium
American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany
Furnishing Partner Klöber GmbH, Hauptstraße 1, 88696 Owingen, Germany and Luttinger GmbH, Schmitte 11, 6633 Biberwier, Austria (Production and delivery)
Parcel and shipping service providers
Processed Data:
Personal identification data (e.g., name, address)
Contact information (e.g., email address, phone number)
Payment data (e.g., bank details, credit card number)
Order data (e.g., item number, order quantity)
Delivery information (e.g., delivery address, delivery preferences)
Legal Basis: Fulfillment of contract according to Art. 6 para. 1 lit. b GDPR
Retention Duration: Data is retained for the duration of the business relationship and beyond in accordance with the statutory retention periods (usually 10 years after the end of the contract).
Third-Country Transfer: Depending on the chosen payment method, a third-country transfer may take place. For more information, please refer to the privacy policies of the respective payment service providers.
Further Information: The provision of your personal data is required for the conclusion and fulfillment of the contract. Without this data, we cannot conclude or fulfill the contract with you. For detailed information on data processing by payment service providers, we refer to their respective privacy policies.
3.5 Job Applications
Purpose: Selection of applicants for the possible establishment of an employment relationship
Recipients: Personio SE & Co. KG, Seidlstr. 3, 80335 Munich.
Processed Data:
Name
Email address
Phone number
Resume (CV)
Cover letter
Other application documents provided by you
IP address
Browser type and version
Operating system
Date and time of access
Legal Basis: Art. 6 para. 1 lit. b GDPR (execution of pre-contractual measures) and § 26 para. 1 BDSG; Art. 6 para. 1 lit. f GDPR, insofar as our legitimate interest lies in the efficient execution of the application process.
Retention Duration: We store your personal data until the end of the application process. In case of a rejection, your data will be stored for a further six months after notification of the decision. In the event of a legal dispute, further retention until final clarification may occur. In the event of hiring, your application documents will be stored in the personnel file for the duration of the employment relationship. You can withdraw your application at any time or object to the processing; in such cases, your data will be deleted and your application will no longer be considered.
International Data Transfer: A transfer of data to Switzerland is based on an adequacy decision of the European Commission. Transfers to other third countries cannot be excluded. In such cases, JOIN ensures that appropriate safeguards are in place to comply with an adequate level of data protection in accordance with GDPR.
Further Information: https://www.personio.de/datenschutz/
3.6 Analytics and Tracking
Cookies are small text files stored by your browser on your device. Cookies do not run programs and do not install malware. Comparable technologies include Web Storage (Local/Session Storage), Fingerprinting, Tags, and Pixels. Most browsers accept these technologies by default; however, you can adjust your settings to block their usage or request consent. If cookies or similar technologies are blocked, certain functions of the website may not be available in full.
Purpose: We use tracking and analysis tools to continuously optimize our website and tailor it to your needs. To this end, information is collected using the corresponding technologies or device information is combined (device fingerprinting).
Legal Basis: Technically necessary tools for the operation of the website are deployed based on our legitimate interest under Art. 6 para. 1 lit. f GDPR or for the fulfillment of a contract or pre-contractual measures under Art. 6 para. 1 lit. b GDPR. Storage or access to information on your device is mandatory in these cases and governed by § 25 para. 2 TTDSG. Optional tools are only used with your consent according to Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG. Below are the tracking and analysis tools used, including their respective purpose and processed data:
_ga (Google Analytics)
Purpose: Used to distinguish users for web behavior analysis.
Category: Statistics cookies
Retention Duration: 1 year 1 month
ga[ID] (Google Analytics)
Purpose: Supports measuring how users interact with the website.
Category: Statistics cookies
Retention Duration: 1 year 1 month
__cf_bm (HubSpot Forms)
Purpose: Used by Cloudflare to distinguish between real users and bots.
Category: Technically necessary cookies
Retention Duration: 30 minutes
_cfuvid (HubSpot Forms)
Purpose: Supports the distinction of users within a session.
Category: Technically necessary cookies
Retention Duration: Session
Google Analytics 4
Purpose: Web analytics
Recipients: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, and Google, LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Processed Data:
Device data (e.g., IP address, device type, screen resolution);
Browser data (e.g., used browser, language, installed plug-ins like ad blockers);
Usage data (e.g., visited pages, time spent per page, click paths, scroll depth, entry, and exit pages);
Event data (events) (e.g., button/link clicks, sent forms);
Location data (e.g., country, city);
Source and traffic data (e.g., referrer URL, access source like a search engine);
Conversion and goal achievement data (e.g., newsletter sign-ups, achieved goals on the website)
Legal Basis:
Third-Country Transfer: For data transfers to the USA, there is an adequacy decision by the EU Commission, the EU-U.S. Data Privacy Framework. Google is certified within this framework, which is why such transfers are based on the legal grounds under Article 45 GDPR. Additionally, so-called standard contractual clauses (SCCs) are concluded with "Google".
Further Information: https://policies.google.com/privacy
Framer Analytics
Purpose: Collection of usage data to improve website performance, user experience, and the functionality of websites created with Framer.
Recipients: Framer B.V., Planciusstraat 75, 1013 MR Amsterdam, Netherlands
Processed Data:
Usage information (e.g., visited pages, used features)
Device information (e.g., browser type, operating system)
Performance data (e.g., load times, interaction events)
General location data (e.g., country, derived from the IP address)
Legal Basis: Legitimate interest according to Art. 6 para. 1 lit. f GDPR (Optimization of website performance and user-friendliness)
Retention Duration: Data is stored for 12 months and then aggregated and anonymized.
Further Information: https://www.framer.com/legal/privacy-statement/
Purpose: Management and triggering of website tags via a unified interface
Recipients: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google, LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Processed Data:
Access data (e.g., time of page view, referrer URL)
Device data (e.g., IP address, device type)
Browser data (e.g., used browser, language settings)
Event data (e.g., tag triggering, interactions with embedded scripts)
Location data (e.g., country, city – based on IP address)
Retention Duration: Storage of cookies occurs for up to 90 days.
Third-Country Transfer: Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and additional standard contractual clauses (SCCs)
Further Information: https://policies.google.com/privacy
4. Contact (Contact Form and Email)
Purpose: Handling and responding to your inquiries
Processed Data:
Name
Email address
Content of your message
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in communicating with you). If your inquiry is aimed at concluding or executing a contract, processing is based on Art. 6 para. 1 lit. b GDPR.
Retention Duration: Your data is only stored as long as necessary to fully process your inquiry.
5. Social Media Online Presence
Purpose: Communication with interested parties, information about products and services, and analysis of the use of our online presence
Recipients:
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland (“Instagram”)
TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“YouTube”)
Processed Data:
Demographic information (e.g., age, gender)
Professional information (e.g., industry, work experience)
Interaction data (e.g., likes, shares)
Usage statistics (e.g., page views, video views)
Content preferences (e.g., popular topics, interests)
Legal Basis:
6 para. 1 lit. b GDPR (fulfillment of contract and pre-contractual measures)
6 para. 1 lit. f GDPR (legitimate interest in effective information and communication)
Retention Duration: According to the respective platform's privacy policies
Third-Country Transfer: Possible transfer to the USA and other third countries, dependent on the respective platform
Further Information:
Instagram: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect
LinkedIn:
TikTok: https://www.tiktok.com/legal/privacy-policy-eea?lang=en
Note: We have no influence over the independent data processing by the platform operators. When visiting our online presences, usage data can be transmitted to the operators, who may use it for their own purposes. Data subject rights can be asserted directly against the platform operators.
6. International Data Transfers
Personal data is primarily processed within the EU/EEA. Transfers to so-called "third countries" occur only in compliance with the GDPR and when appropriate safeguards are in place. Before transferring to a service provider in a third country, the level of data protection is checked. Transfer only occurs when adequate protection mechanisms are in place. All service providers must conclude a data processing agreement. For providers outside the EEA, additional measures are required. According to Art. 44 ff. GDPR, a transfer is permissible if at least one of the following conditions is met:
The European Commission has determined an adequate level of data protection.
Standard contractual clauses are agreed with the recipient.
Other suitable safeguards under Art. 46 GDPR are in place.
In specific exceptional cases under Art. 49 GDPR.
7. Recipients
We only share the personal data we collect if:
You have given us your explicit consent according to Art. 6 para. 1 lit. a GDPR,
The sharing is necessary to protect our legitimate interests or to assert, exercise, or defend legal claims and there is no reason to assume that your interests or fundamental rights and freedoms, which require the protection of personal data, prevail (Art. 6 para. 1 lit. f GDPR),
We are legally obliged to share data (Art. 6 para. 1 lit. c GDPR), or
This is legally permissible and necessary for the fulfillment of a contract with you or for the execution of pre-contractual measures at your request (Art. 6 para. 1 lit. b GDPR).
Possible recipients are:
· Processors: Group companies or external service providers (e.g., in the area of technical infrastructure and processing, maintenance, payment processing), carefully selected and monitored. Processors may only process data following our instructions.
· Public bodies: Authorities and state institutions (e.g., tax authorities, public prosecutors, courts) to which we must transmit personal data, for example, to fulfill legal obligations or to protect legitimate interests.
8. Data Security and Protection Measures
We implement appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. These measures protect against unauthorized access, manipulation, loss, or misuse. Our security measures are regularly reviewed and adapted to the state of the art and current industry standards.
Please note that despite extensive protective measures, data transmission over the Internet can generally have security gaps. Especially in the case of unencrypted communication (e.g., standard email), there is a risk that data may be read by third parties. We have no influence on the behavior of external parties. We therefore recommend using encryption or other protective measures when transmitting sensitive information electronically to minimize potential risks.
9. Data Retention and Deletion/Blocking of Data
Personal data is deleted or blocked as soon as the purpose for storing it no longer applies. Further storage only occurs if it is required by union or national regulations to which the controller is subject. The data is also deleted or blocked once a statutory retention period expires, unless further storage is necessary to fulfill a contractual relationship.
10. Data Subject Rights
With regard to your personal data, you have the following rights:
Right of Access (Art. 15 GDPR, § 34 BDSG): You can request information about whether and what personal data we process, for what purpose, to which recipients or categories of recipients the data is disclosed, and how long the data is stored.
Right to Rectification (Art. 16 GDPR): You can request the immediate correction of incorrect or the completion of incomplete personal data.
Right to Erasure (Art. 17 GDPR): You can request the deletion of your personal data, especially if it is no longer necessary, you withdraw your consent, or the data was processed unlawfully.
Right to Restriction of Processing (Art. 18 GDPR): You can request the restriction of the processing of your data, for example, if the accuracy of the data is disputed.
Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or, if technically feasible, to request the transfer to another controller.
Right to Withdraw Consent (Art. 7 para. 3 GDPR): You can withdraw a given consent at any time with effect for the future. The legality of the data processing remains unaffected until the withdrawal.
Right to Object (Art. 21 GDPR): You can object to the processing of your personal data for reasons arising from your particular situation, especially in connection with direct marketing or associated profiling.
Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection regulations.
