Garmingo Privacy Policy

Version: 2.0
Last Updated: April 29, 2026


Table of Contents

  1. Controller and Contact Information
  2. Overview
  3. Data We Collect and How We Collect It
  4. Purposes and Legal Bases for Processing
  5. Third-Party Service Providers and Data Recipients
  6. International Data Transfers
  7. Data Retention
  8. Cookies and Similar Technologies
  9. Social Login (OAuth)
  10. Marketing and Newsletter Communications
  11. Security
  12. Children's Privacy
  13. Your Rights Under the GDPR
  14. Right to Lodge a Complaint
  15. Changes to This Privacy Policy
  16. Contact and Requests

1. Controller and Contact Information

The controller responsible for the processing of your personal data within the meaning of Art. 4(7) GDPR is:

Garmingo Unternehmergesellschaft (haftungsbeschränkt)
Trading name: Garmingo
Hörder Straße 324
58454 Witten
Germany

Email: support@garmingo.com
Management: management@garmingo.com

(hereinafter "Garmingo", "we", "us", "our")

Appointment of a Data Protection Officer (DPO): Garmingo is not currently subject to the obligation to appoint a Data Protection Officer under Art. 37 GDPR. If you have data protection-related questions or requests, please contact us directly at support@garmingo.com.


2. Overview

This Privacy Policy describes how Garmingo collects, processes, stores, and shares personal data when you use our services, including:

  • The Garmingo website at https://garmingo.com and associated subdomains (the "Website");
  • Garmingo Status — our SaaS-based uptime monitoring service;
  • Garmingo Voice — our AI-powered desktop application for speech enhancement, dictation, and meeting transcription;
  • Any other products or services offered by Garmingo that link to this Privacy Policy.

We process personal data only to the extent necessary and only where a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) exists. We do not sell your personal data to third parties.

This Privacy Policy applies alongside our General Terms of Service and any applicable product-specific terms.


3. Data We Collect and How We Collect It

3.1 Data You Provide Directly

When you create an Account, purchase a subscription, or contact us, you may provide us with the following personal data:

CategoryExamples
Identity dataFirst name, last name, username
Contact dataEmail address
Account credentialsHashed password (we never store plaintext passwords)
Billing and transaction dataBilling name, billing address, transaction reference numbers (note: full payment card data is handled exclusively by our payment processor — see Section 5)
Communications dataMessages and attachments you send to our support team
PreferencesAccount and notification settings

You are not required to provide all of the above data, but certain data is necessary for us to provide the Services. We will indicate which fields are mandatory at the point of collection.

3.2 Data Collected Automatically

When you access and use our Services, we and our service providers may automatically collect certain technical data:

CategoryExamplesSource
Log dataIP address, browser type and version, operating system, referring URL, pages visited, date and time of accessWeb server logs
Device dataDevice type, hardware model, operating system versionApp / browser
Usage dataFeatures accessed, actions taken within the Services, session durationAnalytics (see 3.3)
Error and diagnostic dataCrash reports, error logs (if applicable)App telemetry

3.3 Analytics Data

We use analytics tooling to understand how our Services are used and to improve them. We currently operate the following analytics solutions:

  • Self-hosted analytics (cookie-free): We operate a self-hosted, privacy-preserving analytics solution for the Website. This solution does not use cookies, does not track users across websites, and does not process data in a way that allows us to identify individual users. Data is processed exclusively on infrastructure under our control within the European Union. No personal data is transferred to third parties in connection with this analytics solution.
  • PostHog (potentially): We may use PostHog for product analytics to understand how users interact with the Services. Where used, PostHog may be deployed in a self-hosted or EU-hosted configuration. PostHog analytics may involve the processing of pseudonymous usage data (such as session identifiers and interaction events). We will update this Privacy Policy prior to any deployment of PostHog. For more information, see https://posthog.com/privacy.

3.4 Data Processed in Connection with Garmingo Voice (Desktop App)

Garmingo Voice processes audio and speech data locally on your device and/or via cloud-based AI infrastructure, depending on the features you use and the settings you configure. The following applies:

  • Local processing: Where you use local AI models within Garmingo Voice, your audio and transcription data is processed exclusively on your own device. This data is not transmitted to Garmingo or to any third party.
  • Cloud processing: Where you use cloud-based AI features (e.g., speech enhancement or transcription powered by cloud AI models), your audio data is transmitted to our AI infrastructure provider (Mistral AI) for processing. This processing occurs under GDPR-compliant terms (see Section 5). We transmit only the minimum data necessary for the requested feature.

We recommend that you review the settings within Garmingo Voice to understand and control which features involve cloud processing.

3.5 Data from Third-Party Authentication Providers (Social Login)

If you register or log in using a third-party OAuth provider (currently GitHub and Google), we receive a limited set of data from those providers necessary to create and authenticate your Account. See Section 9 for details.

3.6 Data We Do Not Collect

We do not intentionally collect or process:

  • Special categories of personal data (Art. 9 GDPR), such as health data, racial or ethnic origin, political opinions, religious beliefs, biometric or genetic data;
  • Personal data of children under 18 years of age (see Section 12);
  • Full payment card numbers or CVV codes (these are handled exclusively by our payment processor).

We process your personal data only where we have a valid legal basis under Art. 6 GDPR. The following table sets out our main processing activities and their corresponding purposes and legal bases.

PurposeData CategoriesLegal Basis
Providing and operating the Services (account management, authentication, delivering features you use)Identity, contact, account credentials, usage dataArt. 6(1)(b) GDPR — performance of a contract
Processing payments and managing subscriptionsBilling data, transaction referencesArt. 6(1)(b) GDPR — performance of a contract
Sending transactional communications (account confirmations, password resets, invoices, service notifications)Identity, contact dataArt. 6(1)(b) GDPR — performance of a contract
Customer supportIdentity, contact data, communications dataArt. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) — legitimate interest in providing effective support
Service improvement and analyticsUsage data, log data (anonymised or pseudonymised)Art. 6(1)(f) GDPR — legitimate interest in understanding and improving our Services
Security, fraud prevention, and abuse detectionLog data, account data, usage dataArt. 6(1)(f) GDPR — legitimate interest in protecting the Services and our users
Legal compliance (tax records, compliance with legal obligations)Billing data, identity dataArt. 6(1)(c) GDPR — compliance with a legal obligation
Marketing and newsletter communicationsEmail address, name, communication preferencesArt. 6(1)(a) GDPR — consent (freely given and withdrawable at any time; see Section 10)
Enforcement of our Terms of ServiceRelevant account and usage dataArt. 6(1)(f) GDPR — legitimate interest in enforcing our contractual rights

| AI model training (opt-in only) | Pseudonymised usage data and/or interaction data | Art. 6(1)(a) GDPR — consent (opt-in only; see Section 4.1) |

Legitimate interests balancing test: Where we rely on Art. 6(1)(f) GDPR (legitimate interests), we have assessed that our interests are not overridden by your interests or fundamental rights. You have the right to object to processing based on legitimate interests at any time (see Section 13.7).

4.1 Opt-In: AI Training Data Contribution

We may offer you the option to voluntarily contribute pseudonymised usage data (such as interaction patterns, feature usage, or similar telemetry) to help improve AI models used within our Services. This programme is entirely opt-in: we will only process your data for this purpose if you have given your express, freely given, and specific consent by actively enabling the relevant option in your account or application settings.

Key characteristics of this processing:

  • Participation is always voluntary. You will not be penalised or disadvantaged for declining or for withdrawing your participation at any time.
  • Data is pseudonymised before use. Direct identifiers (such as your name or email address) are removed or replaced with non-identifying references prior to any use for training purposes.
  • You may withdraw your consent at any time via your account settings or by contacting us at support@garmingo.com, with effect for future processing. Withdrawal does not affect data already incorporated into a trained model where technical reversal is not reasonably feasible.
  • The specific data types contributed, and any third-party processors involved, will be clearly disclosed at the point of opt-in.

5. Third-Party Service Providers and Data Recipients

We engage the following categories of third-party processors and recipients that may receive or process your personal data on our behalf. Where a third party acts as a data processor, we have entered into a Data Processing Agreement (DPA) with them as required by Art. 28 GDPR.

5.1 Payment Processing — Polar.sh

All payment transactions are processed by Polar Software, Inc. ("Polar.sh"). Garmingo does not store or process full payment card data; such data is handled exclusively by Polar.sh under their own security and compliance standards.

5.2 Authentication — Better Auth (Self-Hosted)

Account authentication is handled via Better Auth, deployed on our own self-hosted infrastructure within the European Union. Credential data (hashed passwords, session tokens) does not leave our infrastructure.

5.3 Cloud AI Processing — Garmingo Voice

When you use cloud AI features within Garmingo Voice, your audio and/or transcription data is processed by Mistral AI (Mistral AI SAS) — GDPR compliance confirmed under applicable terms.
Privacy Policy: https://mistral.ai/terms/#privacy-policy

Data is transmitted to Mistral AI only when you actively use features that require cloud AI processing. We transmit only the minimum data necessary for the requested feature. We recommend reviewing Mistral AI's privacy policy for full details on how submitted data is processed.

5.4 Social Login Providers

If you use social login, the following providers may share data with us (see Section 9):

  • GitHub (GitHub, Inc. / Microsoft Corporation)
  • Google (Google LLC / Alphabet Inc.)

5.5 Marketing Email — Listmonk (Self-Hosted)

Marketing and newsletter communications are sent via Listmonk, a self-hosted, open-source email platform deployed on our own infrastructure within the European Union. Your email address and subscription preferences are stored on our own servers and are not shared with any third-party email marketing platform.

Transactional emails (e.g., account confirmation, password reset, invoices) may be delivered via a transactional email relay service. We will update this section if and when a specific relay provider is used.

5.6 Hosting and Infrastructure

Our Services and data are hosted on infrastructure located within the European Union. We will update this section if hosting arrangements change.

5.7 Disclosure to Authorities

We may disclose personal data to competent authorities (including law enforcement, courts, or regulatory bodies) if and to the extent we are required to do so by applicable law, a binding court order, or in order to protect the legal rights and interests of Garmingo or third parties.


6. International Data Transfers

Garmingo's primary data storage and processing infrastructure is located within the European Union. We endeavour to keep personal data within the EEA wherever possible.

Certain third-party service providers (in particular, AI processing provider Mistral AI, and social login providers GitHub and Google) may be based outside the European Economic Area, including in the United States.

Where personal data is transferred to a third country, we ensure that one or more of the following transfer mechanisms applies:

  • The recipient country has been recognised by the European Commission as providing an adequate level of data protection (adequacy decision pursuant to Art. 45 GDPR);
  • The transfer is subject to Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR;
  • The recipient has provided appropriate safeguards under Art. 46 GDPR and the transfer is necessary for performance of the contract.

You may request further information about the specific transfer mechanisms in place for any particular provider by contacting us at support@garmingo.com.


7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.

Data CategoryRetention PeriodBasis
Account data (identity, contact, credentials)Duration of active account + up to 3 years after account deletionStatute of limitations under German law (§ 195 BGB); legitimate interest in resolving disputes
Billing and transaction records10 years from the date of the transactionLegal obligation under §§ 238, 257 HGB and § 147 AO (German commercial and tax record-keeping requirements)
Support communications3 years from closure of the support requestLegitimate interest; statute of limitations
Log and access data90 days unless retained longer for a specific security or legal reasonLegitimate interest in security and abuse prevention
Marketing / newsletter subscription dataUntil you withdraw consent or unsubscribe, + 3 years thereafter for evidence purposesLegal obligation to demonstrate consent; legitimate interest
Analytics data (anonymised/aggregated)Indefinitely (as it no longer constitutes personal data once anonymised)N/A — anonymised data is not subject to GDPR retention limits

After the applicable retention period expires, personal data is securely deleted or anonymised.


8. Cookies and Similar Technologies

8.1 Our Approach

We aim to operate our Website and Services with minimal use of cookies. Our self-hosted analytics solution (see Section 3.3) does not use cookies or local storage tracking mechanisms.

8.2 Technically Necessary Cookies

We use a limited number of session cookies that are strictly necessary for the operation of the Services — for example, to maintain your authenticated session after login. These cookies are set by our own infrastructure, are not used for tracking or advertising purposes, and do not require your consent pursuant to § 25(2) No. 2 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz).

8.3 Optional / Analytics Cookies

If we introduce analytics tools that use cookies (such as PostHog where deployed in a cookie-based configuration), we will request your prior consent in accordance with § 25(1) TDDDG before setting any non-essential cookies. You may withdraw such consent at any time via your cookie preferences.

8.4 Managing Cookies

You can control and delete cookies through your browser settings at any time. Please note that disabling technically necessary cookies may affect the functionality of the Services.


9. Social Login (OAuth)

If you choose to register or log in to the Services using your GitHub or Google account, those providers will authenticate your identity and share a limited set of data with us. The data we receive typically includes:

  • Your name or display name as registered with the provider;
  • Your email address registered with the provider;
  • A provider-specific user identifier (used for authentication purposes only).

We do not receive your password from these providers and do not have access to your full social account profile, contacts, or other data beyond what is necessary for authentication.

Your use of GitHub and Google OAuth is also governed by the respective providers' privacy policies:

You may disconnect social login from your Account at any time via your account settings.


10. Marketing and Newsletter Communications

We send marketing and newsletter emails using our self-hosted Listmonk platform. We will only send you marketing communications if you have provided your express, freely given, and informed consent in accordance with Art. 6(1)(a) GDPR and § 7 UWG (Gesetz gegen den unlauteren Wettbewerb).

We use a confirmed opt-in (double opt-in) procedure: after you sign up for our newsletter, we will send you a confirmation email with a verification link that you must click to activate your subscription. We retain evidence of your consent.

You may withdraw your consent and unsubscribe from marketing communications at any time, free of charge, by:

  • Clicking the unsubscribe link included in every marketing email; or
  • Contacting us at support@garmingo.com.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. After unsubscribing, we will cease sending you marketing emails within a reasonable time.

10.3 Transactional Emails

We may send you transactional emails that are necessary for the performance of our contract with you (such as account confirmations, password resets, subscription confirmations, and invoices). These are not marketing communications and are not subject to the opt-in requirement. You may not opt out of transactional communications while your Account is active.


11. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, disclosure, or destruction. These measures include, where applicable:

  • Encrypted storage of passwords (bcrypt or equivalent);
  • Encrypted data transmission (TLS/HTTPS);
  • Access controls and least-privilege principles for internal systems;
  • Regular review of our security practices.

Please be aware that no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required by Art. 34 GDPR, notify you directly without undue delay.


12. Children's Privacy

Our Services are not directed at, and we do not knowingly collect personal data from, persons under the age of 18 years. If you are under 18, you must not use our Services or provide us with any personal data.

If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will delete that data promptly. If you believe we may have collected personal data from or about a person under 18, please contact us at support@garmingo.com.


13. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data. We respond to all valid requests within one month of receipt, which may be extended by up to two further months in complex cases (with notification to you).

13.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we are processing personal data about you, and if so, to receive a copy of that data along with information about the processing (purposes, categories of data, recipients, retention periods, etc.).

13.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data or completion of incomplete personal data we hold about you.

13.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You have the right to request deletion of your personal data where:

  • The data is no longer necessary for the purposes for which it was collected;
  • You have withdrawn consent and there is no other legal basis for processing;
  • You have objected to processing and there are no overriding legitimate grounds;
  • The data has been unlawfully processed;
  • Deletion is required by applicable law.

This right does not apply where processing is necessary for compliance with a legal obligation, or for the establishment, exercise, or defence of legal claims.

13.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you prefer restriction to erasure, or where you have objected to processing pending verification of our legitimate grounds.

13.5 Right to Data Portability (Art. 20 GDPR)

Where we process your personal data on the basis of your consent or for the performance of a contract, and processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw consent by contacting us at support@garmingo.com or, for newsletter communications, by using the unsubscribe link in any marketing email.

13.7 Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data where we rely on Art. 6(1)(f) GDPR (legitimate interests) as our legal basis. Upon your objection, we will cease processing unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have an unconditional right to object at any time, and we will cease processing for that purpose immediately without the need to demonstrate compelling grounds.

13.8 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

We do not currently make decisions that produce legal or similarly significant effects on you based solely on automated processing, including profiling.

13.9 How to Exercise Your Rights

To exercise any of the rights set out above, please contact us at:

Email: support@garmingo.com
Post: Garmingo UG (haftungsbeschränkt), Hörder Straße 324, 58454 Witten, Germany

We may request additional information to verify your identity before processing your request. We will not charge a fee for responding to a legitimate request, unless requests are manifestly unfounded or excessive.


14. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent supervisory authority if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority competent for Garmingo is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
Website: https://www.ldi.nrw.de
Email: poststelle@ldi.nrw.de

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, your place of work, or the place where the alleged infringement occurred.

We would nevertheless appreciate the opportunity to address your concerns directly before you contact the supervisory authority — please reach out to us at support@garmingo.com.


15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or the structure of our Services. We will notify you of material changes by:

  • Sending an email to the address registered with your Account; and/or
  • Publishing a prominent notice on our Website.

The updated Privacy Policy will indicate the revised "Last Updated" date at the top of this document. For significant changes, we will provide reasonable advance notice before the changes take effect. Your continued use of the Services after the effective date of any update constitutes acknowledgment of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.


16. Contact and Requests

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us at:

Garmingo Unternehmergesellschaft (haftungsbeschränkt)
Hörder Straße 324
58454 Witten
Germany

PurposeContact
Data protection / privacy requestssupport@garmingo.com
General management / legalmanagement@garmingo.com
Abuse reportsabuse@garmingo.com

We endeavour to respond to all data protection requests within one month in accordance with Art. 12(3) GDPR.


_This Privacy Policy constitutes the Datenschutzerklärung of Garmingo Unternehmergesellschaft (haftungsbeschränkt) and has been drafted with the aim of complying with applicable European and German data protection law, including the General Data Protection Regulation (GDPR / DSGVO), the Bundesdatenschutzgesetz (BDSG), and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)._

_This document does not constitute legal advice. Garmingo recommends that this Privacy Policy be reviewed by a qualified attorney prior to publication._