Garmingo Privacy Policy
Version: 2.0
Last Updated: April 29, 2026
Table of Contents
- Controller and Contact Information
- Overview
- Data We Collect and How We Collect It
- Purposes and Legal Bases for Processing
- Third-Party Service Providers and Data Recipients
- International Data Transfers
- Data Retention
- Cookies and Similar Technologies
- Social Login (OAuth)
- Marketing and Newsletter Communications
- Security
- Children's Privacy
- Your Rights Under the GDPR
- Right to Lodge a Complaint
- Changes to This Privacy Policy
- Contact and Requests
1. Controller and Contact Information
The controller responsible for the processing of your personal data within the meaning of Art. 4(7) GDPR is:
Garmingo Unternehmergesellschaft (haftungsbeschränkt)
Trading name: Garmingo
Hörder Straße 324
58454 Witten
Germany
Email: support@garmingo.com
Management: management@garmingo.com
(hereinafter "Garmingo", "we", "us", "our")
Appointment of a Data Protection Officer (DPO): Garmingo is not currently subject to the obligation to appoint a Data Protection Officer under Art. 37 GDPR. If you have data protection-related questions or requests, please contact us directly at support@garmingo.com.
2. Overview
This Privacy Policy describes how Garmingo collects, processes, stores, and shares personal data when you use our services, including:
- The Garmingo website at https://garmingo.com and associated subdomains (the "Website");
- Garmingo Status — our SaaS-based uptime monitoring service;
- Garmingo Voice — our AI-powered desktop application for speech enhancement, dictation, and meeting transcription;
- Any other products or services offered by Garmingo that link to this Privacy Policy.
We process personal data only to the extent necessary and only where a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) exists. We do not sell your personal data to third parties.
This Privacy Policy applies alongside our General Terms of Service and any applicable product-specific terms.
3. Data We Collect and How We Collect It
3.1 Data You Provide Directly
When you create an Account, purchase a subscription, or contact us, you may provide us with the following personal data:
| Category | Examples |
|---|---|
| Identity data | First name, last name, username |
| Contact data | Email address |
| Account credentials | Hashed password (we never store plaintext passwords) |
| Billing and transaction data | Billing name, billing address, transaction reference numbers (note: full payment card data is handled exclusively by our payment processor — see Section 5) |
| Communications data | Messages and attachments you send to our support team |
| Preferences | Account and notification settings |
You are not required to provide all of the above data, but certain data is necessary for us to provide the Services. We will indicate which fields are mandatory at the point of collection.
3.2 Data Collected Automatically
When you access and use our Services, we and our service providers may automatically collect certain technical data:
| Category | Examples | Source |
|---|---|---|
| Log data | IP address, browser type and version, operating system, referring URL, pages visited, date and time of access | Web server logs |
| Device data | Device type, hardware model, operating system version | App / browser |
| Usage data | Features accessed, actions taken within the Services, session duration | Analytics (see 3.3) |
| Error and diagnostic data | Crash reports, error logs (if applicable) | App telemetry |
3.3 Analytics Data
We use analytics tooling to understand how our Services are used and to improve them. We currently operate the following analytics solutions:
- Self-hosted analytics (cookie-free): We operate a self-hosted, privacy-preserving analytics solution for the Website. This solution does not use cookies, does not track users across websites, and does not process data in a way that allows us to identify individual users. Data is processed exclusively on infrastructure under our control within the European Union. No personal data is transferred to third parties in connection with this analytics solution.
- PostHog (potentially): We may use PostHog for product analytics to understand how users interact with the Services. Where used, PostHog may be deployed in a self-hosted or EU-hosted configuration. PostHog analytics may involve the processing of pseudonymous usage data (such as session identifiers and interaction events). We will update this Privacy Policy prior to any deployment of PostHog. For more information, see https://posthog.com/privacy.
3.4 Data Processed in Connection with Garmingo Voice (Desktop App)
Garmingo Voice processes audio and speech data locally on your device and/or via cloud-based AI infrastructure, depending on the features you use and the settings you configure. The following applies:
- Local processing: Where you use local AI models within Garmingo Voice, your audio and transcription data is processed exclusively on your own device. This data is not transmitted to Garmingo or to any third party.
- Cloud processing: Where you use cloud-based AI features (e.g., speech enhancement or transcription powered by cloud AI models), your audio data is transmitted to our AI infrastructure provider (Mistral AI) for processing. This processing occurs under GDPR-compliant terms (see Section 5). We transmit only the minimum data necessary for the requested feature.
We recommend that you review the settings within Garmingo Voice to understand and control which features involve cloud processing.
3.5 Data from Third-Party Authentication Providers (Social Login)
If you register or log in using a third-party OAuth provider (currently GitHub and Google), we receive a limited set of data from those providers necessary to create and authenticate your Account. See Section 9 for details.
3.6 Data We Do Not Collect
We do not intentionally collect or process:
- Special categories of personal data (Art. 9 GDPR), such as health data, racial or ethnic origin, political opinions, religious beliefs, biometric or genetic data;
- Personal data of children under 18 years of age (see Section 12);
- Full payment card numbers or CVV codes (these are handled exclusively by our payment processor).
4. Purposes and Legal Bases for Processing
We process your personal data only where we have a valid legal basis under Art. 6 GDPR. The following table sets out our main processing activities and their corresponding purposes and legal bases.
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Providing and operating the Services (account management, authentication, delivering features you use) | Identity, contact, account credentials, usage data | Art. 6(1)(b) GDPR — performance of a contract |
| Processing payments and managing subscriptions | Billing data, transaction references | Art. 6(1)(b) GDPR — performance of a contract |
| Sending transactional communications (account confirmations, password resets, invoices, service notifications) | Identity, contact data | Art. 6(1)(b) GDPR — performance of a contract |
| Customer support | Identity, contact data, communications data | Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) — legitimate interest in providing effective support |
| Service improvement and analytics | Usage data, log data (anonymised or pseudonymised) | Art. 6(1)(f) GDPR — legitimate interest in understanding and improving our Services |
| Security, fraud prevention, and abuse detection | Log data, account data, usage data | Art. 6(1)(f) GDPR — legitimate interest in protecting the Services and our users |
| Legal compliance (tax records, compliance with legal obligations) | Billing data, identity data | Art. 6(1)(c) GDPR — compliance with a legal obligation |
| Marketing and newsletter communications | Email address, name, communication preferences | Art. 6(1)(a) GDPR — consent (freely given and withdrawable at any time; see Section 10) |
| Enforcement of our Terms of Service | Relevant account and usage data | Art. 6(1)(f) GDPR — legitimate interest in enforcing our contractual rights |
| AI model training (opt-in only) | Pseudonymised usage data and/or interaction data | Art. 6(1)(a) GDPR — consent (opt-in only; see Section 4.1) |
Legitimate interests balancing test: Where we rely on Art. 6(1)(f) GDPR (legitimate interests), we have assessed that our interests are not overridden by your interests or fundamental rights. You have the right to object to processing based on legitimate interests at any time (see Section 13.7).
4.1 Opt-In: AI Training Data Contribution
We may offer you the option to voluntarily contribute pseudonymised usage data (such as interaction patterns, feature usage, or similar telemetry) to help improve AI models used within our Services. This programme is entirely opt-in: we will only process your data for this purpose if you have given your express, freely given, and specific consent by actively enabling the relevant option in your account or application settings.
Key characteristics of this processing:
- Participation is always voluntary. You will not be penalised or disadvantaged for declining or for withdrawing your participation at any time.
- Data is pseudonymised before use. Direct identifiers (such as your name or email address) are removed or replaced with non-identifying references prior to any use for training purposes.
- You may withdraw your consent at any time via your account settings or by contacting us at support@garmingo.com, with effect for future processing. Withdrawal does not affect data already incorporated into a trained model where technical reversal is not reasonably feasible.
- The specific data types contributed, and any third-party processors involved, will be clearly disclosed at the point of opt-in.
5. Third-Party Service Providers and Data Recipients
We engage the following categories of third-party processors and recipients that may receive or process your personal data on our behalf. Where a third party acts as a data processor, we have entered into a Data Processing Agreement (DPA) with them as required by Art. 28 GDPR.
5.1 Payment Processing — Polar.sh
All payment transactions are processed by Polar Software, Inc. ("Polar.sh"). Garmingo does not store or process full payment card data; such data is handled exclusively by Polar.sh under their own security and compliance standards.
- Privacy Policy: https://polar.sh/legal/privacy
- Data transferred: Billing name, billing address, transaction reference, subscription details.
5.2 Authentication — Better Auth (Self-Hosted)
Account authentication is handled via Better Auth, deployed on our own self-hosted infrastructure within the European Union. Credential data (hashed passwords, session tokens) does not leave our infrastructure.
5.3 Cloud AI Processing — Garmingo Voice
When you use cloud AI features within Garmingo Voice, your audio and/or transcription data is processed by Mistral AI (Mistral AI SAS) — GDPR compliance confirmed under applicable terms.
Privacy Policy: https://mistral.ai/terms/#privacy-policy
Data is transmitted to Mistral AI only when you actively use features that require cloud AI processing. We transmit only the minimum data necessary for the requested feature. We recommend reviewing Mistral AI's privacy policy for full details on how submitted data is processed.
5.4 Social Login Providers
If you use social login, the following providers may share data with us (see Section 9):
- GitHub (GitHub, Inc. / Microsoft Corporation)
- Google (Google LLC / Alphabet Inc.)
5.5 Marketing Email — Listmonk (Self-Hosted)
Marketing and newsletter communications are sent via Listmonk, a self-hosted, open-source email platform deployed on our own infrastructure within the European Union. Your email address and subscription preferences are stored on our own servers and are not shared with any third-party email marketing platform.
Transactional emails (e.g., account confirmation, password reset, invoices) may be delivered via a transactional email relay service. We will update this section if and when a specific relay provider is used.
5.6 Hosting and Infrastructure
Our Services and data are hosted on infrastructure located within the European Union. We will update this section if hosting arrangements change.
5.7 Disclosure to Authorities
We may disclose personal data to competent authorities (including law enforcement, courts, or regulatory bodies) if and to the extent we are required to do so by applicable law, a binding court order, or in order to protect the legal rights and interests of Garmingo or third parties.
6. International Data Transfers
Garmingo's primary data storage and processing infrastructure is located within the European Union. We endeavour to keep personal data within the EEA wherever possible.
Certain third-party service providers (in particular, AI processing provider Mistral AI, and social login providers GitHub and Google) may be based outside the European Economic Area, including in the United States.
Where personal data is transferred to a third country, we ensure that one or more of the following transfer mechanisms applies:
- The recipient country has been recognised by the European Commission as providing an adequate level of data protection (adequacy decision pursuant to Art. 45 GDPR);
- The transfer is subject to Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR;
- The recipient has provided appropriate safeguards under Art. 46 GDPR and the transfer is necessary for performance of the contract.
You may request further information about the specific transfer mechanisms in place for any particular provider by contacting us at support@garmingo.com.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (identity, contact, credentials) | Duration of active account + up to 3 years after account deletion | Statute of limitations under German law (§ 195 BGB); legitimate interest in resolving disputes |
| Billing and transaction records | 10 years from the date of the transaction | Legal obligation under §§ 238, 257 HGB and § 147 AO (German commercial and tax record-keeping requirements) |
| Support communications | 3 years from closure of the support request | Legitimate interest; statute of limitations |
| Log and access data | 90 days unless retained longer for a specific security or legal reason | Legitimate interest in security and abuse prevention |
| Marketing / newsletter subscription data | Until you withdraw consent or unsubscribe, + 3 years thereafter for evidence purposes | Legal obligation to demonstrate consent; legitimate interest |
| Analytics data (anonymised/aggregated) | Indefinitely (as it no longer constitutes personal data once anonymised) | N/A — anonymised data is not subject to GDPR retention limits |
After the applicable retention period expires, personal data is securely deleted or anonymised.
8. Cookies and Similar Technologies
8.1 Our Approach
We aim to operate our Website and Services with minimal use of cookies. Our self-hosted analytics solution (see Section 3.3) does not use cookies or local storage tracking mechanisms.
8.2 Technically Necessary Cookies
We use a limited number of session cookies that are strictly necessary for the operation of the Services — for example, to maintain your authenticated session after login. These cookies are set by our own infrastructure, are not used for tracking or advertising purposes, and do not require your consent pursuant to § 25(2) No. 2 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz).
8.3 Optional / Analytics Cookies
If we introduce analytics tools that use cookies (such as PostHog where deployed in a cookie-based configuration), we will request your prior consent in accordance with § 25(1) TDDDG before setting any non-essential cookies. You may withdraw such consent at any time via your cookie preferences.
8.4 Managing Cookies
You can control and delete cookies through your browser settings at any time. Please note that disabling technically necessary cookies may affect the functionality of the Services.
9. Social Login (OAuth)
If you choose to register or log in to the Services using your GitHub or Google account, those providers will authenticate your identity and share a limited set of data with us. The data we receive typically includes:
- Your name or display name as registered with the provider;
- Your email address registered with the provider;
- A provider-specific user identifier (used for authentication purposes only).
We do not receive your password from these providers and do not have access to your full social account profile, contacts, or other data beyond what is necessary for authentication.
Your use of GitHub and Google OAuth is also governed by the respective providers' privacy policies:
- GitHub: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement
- Google: https://policies.google.com/privacy
You may disconnect social login from your Account at any time via your account settings.
10. Marketing and Newsletter Communications
10.1 Subscription and Consent
We send marketing and newsletter emails using our self-hosted Listmonk platform. We will only send you marketing communications if you have provided your express, freely given, and informed consent in accordance with Art. 6(1)(a) GDPR and § 7 UWG (Gesetz gegen den unlauteren Wettbewerb).
We use a confirmed opt-in (double opt-in) procedure: after you sign up for our newsletter, we will send you a confirmation email with a verification link that you must click to activate your subscription. We retain evidence of your consent.
10.2 Right to Withdraw Consent (Unsubscribe)
You may withdraw your consent and unsubscribe from marketing communications at any time, free of charge, by:
- Clicking the unsubscribe link included in every marketing email; or
- Contacting us at support@garmingo.com.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. After unsubscribing, we will cease sending you marketing emails within a reasonable time.
10.3 Transactional Emails
We may send you transactional emails that are necessary for the performance of our contract with you (such as account confirmations, password resets, subscription confirmations, and invoices). These are not marketing communications and are not subject to the opt-in requirement. You may not opt out of transactional communications while your Account is active.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, disclosure, or destruction. These measures include, where applicable:
- Encrypted storage of passwords (bcrypt or equivalent);
- Encrypted data transmission (TLS/HTTPS);
- Access controls and least-privilege principles for internal systems;
- Regular review of our security practices.
Please be aware that no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required by Art. 34 GDPR, notify you directly without undue delay.
12. Children's Privacy
Our Services are not directed at, and we do not knowingly collect personal data from, persons under the age of 18 years. If you are under 18, you must not use our Services or provide us with any personal data.
If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will delete that data promptly. If you believe we may have collected personal data from or about a person under 18, please contact us at support@garmingo.com.
13. Your Rights Under the GDPR
As a data subject under the GDPR, you have the following rights regarding your personal data. We respond to all valid requests within one month of receipt, which may be extended by up to two further months in complex cases (with notification to you).
13.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether we are processing personal data about you, and if so, to receive a copy of that data along with information about the processing (purposes, categories of data, recipients, retention periods, etc.).
13.2 Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data or completion of incomplete personal data we hold about you.
13.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purposes for which it was collected;
- You have withdrawn consent and there is no other legal basis for processing;
- You have objected to processing and there are no overriding legitimate grounds;
- The data has been unlawfully processed;
- Deletion is required by applicable law.
This right does not apply where processing is necessary for compliance with a legal obligation, or for the establishment, exercise, or defence of legal claims.
13.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of processing in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you prefer restriction to erasure, or where you have objected to processing pending verification of our legitimate grounds.
13.5 Right to Data Portability (Art. 20 GDPR)
Where we process your personal data on the basis of your consent or for the performance of a contract, and processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
13.6 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw consent by contacting us at support@garmingo.com or, for newsletter communications, by using the unsubscribe link in any marketing email.
13.7 Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data where we rely on Art. 6(1)(f) GDPR (legitimate interests) as our legal basis. Upon your objection, we will cease processing unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
Where personal data is processed for direct marketing purposes, you have an unconditional right to object at any time, and we will cease processing for that purpose immediately without the need to demonstrate compelling grounds.
13.8 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)
We do not currently make decisions that produce legal or similarly significant effects on you based solely on automated processing, including profiling.
13.9 How to Exercise Your Rights
To exercise any of the rights set out above, please contact us at:
Email: support@garmingo.com
Post: Garmingo UG (haftungsbeschränkt), Hörder Straße 324, 58454 Witten, Germany
We may request additional information to verify your identity before processing your request. We will not charge a fee for responding to a legitimate request, unless requests are manifestly unfounded or excessive.
14. Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent supervisory authority if you believe that the processing of your personal data infringes the GDPR.
The supervisory authority competent for Garmingo is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
Website: https://www.ldi.nrw.de
Email: poststelle@ldi.nrw.de
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, your place of work, or the place where the alleged infringement occurred.
We would nevertheless appreciate the opportunity to address your concerns directly before you contact the supervisory authority — please reach out to us at support@garmingo.com.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or the structure of our Services. We will notify you of material changes by:
- Sending an email to the address registered with your Account; and/or
- Publishing a prominent notice on our Website.
The updated Privacy Policy will indicate the revised "Last Updated" date at the top of this document. For significant changes, we will provide reasonable advance notice before the changes take effect. Your continued use of the Services after the effective date of any update constitutes acknowledgment of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
16. Contact and Requests
For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us at:
Garmingo Unternehmergesellschaft (haftungsbeschränkt)
Hörder Straße 324
58454 Witten
Germany
| Purpose | Contact |
|---|---|
| Data protection / privacy requests | support@garmingo.com |
| General management / legal | management@garmingo.com |
| Abuse reports | abuse@garmingo.com |
We endeavour to respond to all data protection requests within one month in accordance with Art. 12(3) GDPR.
_This Privacy Policy constitutes the Datenschutzerklärung of Garmingo Unternehmergesellschaft (haftungsbeschränkt) and has been drafted with the aim of complying with applicable European and German data protection law, including the General Data Protection Regulation (GDPR / DSGVO), the Bundesdatenschutzgesetz (BDSG), and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)._
_This document does not constitute legal advice. Garmingo recommends that this Privacy Policy be reviewed by a qualified attorney prior to publication._