← Home

Privacy Policy

We take the protection of your personal data seriously. This privacy policy informs you about the nature, scope and purpose of the processing of personal data on our platform ManualHQ (http://manualhq.app/en/datenschutz).

I. Definitions

  1. Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).
  2. Processing means any operation performed on personal data, such as collection, storage, use or deletion (Art. 4 No. 2 GDPR).
  3. Controller means the natural or legal person who determines the purposes and means of processing (Art. 4 No. 7 GDPR).
  4. Processor means a natural or legal person who processes personal data on behalf of the controller (Art. 4 No. 8 GDPR).

II. General Information

1. Controller

Zerocom GmbH
Nelkenstr. 9
52134 Herzogenrath
Managing Director: Robert Zessack
Phone: +49 2406 9950007
Email: [email protected]

2. Legal Basis

We process personal data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR) — when you have expressly consented.
  • Performance of a contract (Art. 6(1)(b) GDPR) — to provide the platform and your access.
  • Legal obligation (Art. 6(1)(c) GDPR) — to fulfil statutory retention obligations.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for security, abuse prevention and improvement of our services.

Where we base processing on a legitimate interest, you may object at any time.

3. Recipients and Processors

Personal data is only disclosed to third parties:

  • with your consent,
  • to fulfil the contract (e.g. payment processing via Stripe),
  • due to legal obligations,
  • to safeguard legitimate interests (e.g. infrastructure providers).

We use the following processors:

  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen — Hosting, backup storage. Privacy Policy
  • Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107 — CDN, DDoS protection, DNS. EU data processing pursuant to EU Standard Contractual Clauses. Privacy Policy
  • Stripe Inc., 510 Townsend St, San Francisco, CA 94103 — Payment processing. Stripe is PCI DSS Level 1 certified. Payment data is processed exclusively by Stripe. Privacy Policy
  • Billbee GmbH, Paulinenstr. 54, 32756 Detmold — Invoice generation. Privacy Policy
  • Brevo (Sendinblue GmbH), Köpenicker Str. 126, 10179 Berlin — Transactional email delivery (registration confirmation, password reset, invitations). Privacy Policy

4. Transfer to Third Countries

Where data is transferred to service providers in the USA (Stripe, Cloudflare), this is done on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EU-US Data Privacy Framework.

5. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) — Right to information about stored data.
  • Rectification (Art. 16 GDPR) — Right to correction of inaccurate data.
  • Erasure (Art. 17 GDPR) — Right to deletion, provided no statutory retention obligation exists.
  • Restriction (Art. 18 GDPR) — Right to restriction of processing.
  • Data portability (Art. 20 GDPR) — Right to receive your data in a machine-readable format.
  • Objection (Art. 21 GDPR) — Right to object to processing based on legitimate interests.
  • Withdrawal of consent (Art. 7(3) GDPR) — possible at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77 GDPR) — with the competent data protection supervisory authority.

To exercise your rights, contact us at: [email protected]

6. Storage Duration

Personal data is deleted as soon as the purpose of storage ceases to apply. Statutory retention periods (e.g. commercial and tax law: 6-10 years) remain unaffected. Audit logs are retained for 12 months and then automatically deleted.

7. Cookies

ManualHQ uses only technically necessary cookies:

  • Session cookie — to maintain your session. Deleted when the browser is closed.
  • Remember-me cookie — optional, keeps you logged in for up to 30 days. Legal basis: Art. 6(1)(a) GDPR (consent by clicking).
  • CSRF token — protects forms against cross-site request forgery. Technically necessary.

No tracking cookies are used. A consent banner is therefore not required.

III. Individual Processing Operations

1. Hosting

Our platform is operated on servers of Hetzner Online GmbH in Germany. When accessing the site, server log files are automatically recorded (IP address, time, page accessed, referrer, browser). These are deleted after 14 days. Legal basis: Art. 6(1)(f) GDPR.

2. Cloudflare (CDN and Security)

We use Cloudflare as a content delivery network and for DDoS protection. Cloudflare temporarily processes IP addresses and connection data. Storage of personal data by Cloudflare does not occur beyond the technically necessary processing. Legal basis: Art. 6(1)(f) GDPR.

3. Registration and User Account

During registration we collect:

  • Name
  • Email address
  • Password (stored exclusively as a bcrypt hash)

Optional: TOTP secret for two-factor authentication (stored encrypted, not recoverable).

Your account and all associated data will be deleted upon cancellation, provided no statutory retention obligations exist. Legal basis: Art. 6(1)(b) GDPR.

4. Audit Log (Access Logs)

ManualHQ logs the following data on behalf of manufacturers for each document access:

  • Time of access
  • IP address
  • User agent (browser/device)
  • Accessed document / chapter
  • Type of action (viewed, downloaded)

This data serves traceability and protection of document content according to the contractual requirements of the manufacturers. Logs are automatically deleted after 12 months. Legal basis: Art. 6(1)(b) and (f) GDPR.

5. Watermarks in Downloads

When you download a document, your name and email address are embedded as a watermark in the PDF. This serves to protect the copyright of the manufacturers and to enable traceability in case of unauthorized distribution. Legal basis: Art. 6(1)(b) and (f) GDPR.

6. Payment Processing (Stripe)

We use Stripe for payment processing. When subscribing, the following data is transmitted to Stripe:

  • Email address
  • Selected plan and billing period
  • Payment information (credit card, SEPA — stored exclusively by Stripe)

We do not store any payment data ourselves. Stripe is PCI DSS Level 1 certified. Legal basis: Art. 6(1)(b) GDPR.

7. Invoice Generation (Billbee)

For automatic invoice generation, we transmit the company name, email address and invoice amount to Billbee upon successful payment. Legal basis: Art. 6(1)(b) and (c) GDPR (contract performance and tax retention obligation).

8. Email Delivery

We send transactional emails (registration confirmation, password reset, invitations, access notifications). Delivery is handled by Brevo (formerly Sendinblue). Legal basis: Art. 6(1)(b) GDPR.

9. Document Storage

Uploaded PDF documents are stored encrypted on Hetzner Object Storage (S3-compatible) in Germany. Access is exclusively possible through the platform with a valid access right. Legal basis: Art. 6(1)(b) GDPR.

10. Backups

Daily database backups are stored encrypted on a Hetzner Storage Box in Germany and automatically deleted after 30 days. Legal basis: Art. 6(1)(f) GDPR.

IV. Web Analytics

We use Umami, a privacy-friendly, self-hosted analytics solution. Umami stores no personal data, sets no cookies and transmits no data to third parties. Only anonymized page views are recorded. A consent banner is therefore not required.

Last updated: April 2026