Embedded Wizard Privacy Policy (EWPP)

Download

TARA Systems GmbH
Embedded Wizard Privacy Policy (EWPP)
Effective Date: 2025-11-18

This Embedded Wizard Privacy Policy ("Privacy Policy" or "EWPP") explains how TARA Systems GmbH ("TARA", "we", "us") processes personal data in connection with the Embedded Wizard product family, including our websites, customer and developer portals, licensing and activation systems, online services, support offerings and related sales and marketing activities.

This Privacy Policy complements our contractual documentation, in particular the Embedded Wizard Terms and Conditions ("EWTC"), the Embedded Wizard License Agreement ("EWLA"), the Embedded Wizard Support Agreement ("EWSA"), the Embedded Wizard Refund Policy ("EWRP") and, where applicable, the Data Processing Agreement ("DPA") concluded with customers for support and remote services. In case of conflict between this Privacy Policy and a DPA, the DPA will prevail for processing where we act as processor.

Our commercial products and services are aimed at business customers (entrepreneurs/business customers within the meaning of Section 14 BGB). We do not target consumers within the meaning of Section 13 BGB with Embedded Wizard products. Nevertheless, this Privacy Policy also applies to individual visitors of our websites and to natural persons acting on behalf of business customers (e.g. employees, contractors).

Unless expressly stated otherwise, TARA acts as controller within the meaning of the GDPR. For certain scenarios (in particular support and remote services under a DPA) we act as processor on behalf of the customer. For payment processing our Merchant of Record (currently Bright Market, LLC d/b/a FastSpring) acts as independent controller. For optional third-party AI services accessed via our AI Connector, the respective AI provider acts as independent controller for the AI input and output.

1. Controller & Contact
  TARA Systems GmbH ("TARA")
  Gmunder Str. 53, 81379 Munich, Germany
  Phone: +49 89 747121-0
  Email: contact@embedded-wizard.de
  Website: https://www.embedded-wizard.de

2. Scope
This Privacy Policy covers personal data processed when you:
  - visit our websites, portals and online content under the Embedded Wizard brand;
  - create and use Embedded Wizard accounts or portals (e.g. customer, evaluation or partner accounts);
  - purchase licenses or subscriptions, request quotes or otherwise engage in B2B sales communication with us;
  - use Embedded Wizard products that communicate with our servers (e.g. for license validation, activation, updates or online features);
  - receive support from us (tickets, email, phone, remote sessions);
  - subscribe to our newsletters or other electronic communications; or
  - interact with us at events, via social media or other channels.

This Privacy Policy does not regulate processing where we act as processor for our customers under a DPA (for example when we process customer system data as part of support or remote access services). In those cases, the DPA (including its Technical and Organisational Measures and Subprocessor Annex) applies primarily; this Privacy Policy applies only to the extent we act as independent controller (e.g. for our own ticket and contact management).

3. Data, Purposes & Legal Bases
We only process personal data where there is a legal basis under Art. 6 GDPR and, where applicable, under other relevant laws (e.g. German commercial and tax law, UWG). Below we describe the main processing activities.

3.1 Website operation & security

Data: server log files (IP address, date/time, URL and file requested, transferred data volume, HTTP status code, referrer URL, browser and operating system information), basic device information, and similar technical identifiers.  
Purpose: provide the website, ensure technical availability and performance, detect and prevent misuse and attacks (e.g. DDoS, brute-force), troubleshoot and ensure IT security, compile anonymised statistics on system stability.  
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and stable operation of our online services and defence of legal claims). Log files are generally stored for a short period and then anonymised or deleted unless a longer retention is necessary for specific incidents.

3.2 Cookies, local storage & analytics

We use cookies and similar technologies (e.g. local storage, pixels, SDKs) on our websites and in some online services.

- Technically necessary cookies: These are required to provide our websites, to remember your settings (e.g. language, consent choices) or to enable secure login.  
  Legal basis: Art. 6(1)(b) GDPR (performance of contract or pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interests in providing user-friendly, secure services).

- Non-essential cookies/analytics/third-party tools: These are used, for example, to measure reach and usage, improve our content, integrate media, or display social plugins, provided you have given consent.  
  Legal basis: Art. 6(1)(a) GDPR (consent); you can withdraw your consent at any time with future effect via the consent tool or browser settings.

We use a consent management tool (cookie banner) where you can obtain detailed information about each cookie or tool (provider, function, storage duration, third-country transfers) and manage your choices. Where we use privacy-friendly analytics solutions, we configure them to minimise data (e.g. IP anonymisation, no cross-site tracking) in accordance with GDPR.

3.3 Customer accounts, subscriptions, orders & B2B sales communication

Data: master and contact data (name, business email, job title, company, department), login credentials and usage data for accounts/portals, organisation and project information, license and subscription data (license keys, product variants, seats/users, term, billing interval), order and payment-related data (order ID, product, price, currency, VAT data, billing address), correspondence (e.g. email history, notes on calls or meetings).  

Purpose: create and manage customer, evaluation and partner accounts; provide downloads and access to resources; prepare and process offers, orders, subscriptions and license keys; allocate and manage seats/users; manage B2B customer relationships and sales pipeline; answer pre-sales requests; document contractual relations; comply with commercial and tax retention obligations; and send product-related administrative information (e.g. major releases, important changes to terms, end-of-life notices).  

Legal bases:
  - Art. 6(1)(b) GDPR (performance and preparation of contracts with our customers and their representatives),
  - Art. 6(1)(c) GDPR (statutory retention obligations), and
  - Art. 6(1)(f) GDPR (legitimate interests in B2B customer care, sales activities and documentation of business communications).

Refunds, chargebacks, license compliance & audits  
In line with the EWTC and the EWRP we may, in individual cases, use license and usage/activation data (e.g. license keys, activation counts, build or unit information, timestamps, product versions) to:
  - verify license compliance and metrics relevant for billing (e.g. for Royalty Licenses and audits),
  - handle payment disputes, refunds and chargebacks, and
  - detect and investigate fraud or abuse patterns.

Legal bases: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests in preventing fraud/misuse, protecting our licensing model and enforcing contractual rights).

We may send existing B2B customers and interested parties product-related information (e.g. about Embedded Wizard releases, changes to licensing or support) by email, provided this is permitted under applicable law (in particular § 7(3) UWG) and you have not objected. You can object to such communication at any time (see Section 8).

3.4 Payments & Merchant of Record (MoR)

For many online purchases of Embedded Wizard licenses and subscriptions we use a specialised payment provider as Merchant of Record ("MoR"), currently Bright Market, LLC d/b/a FastSpring, USA. In this setup, the MoR acts as independent controller for payment processing and related anti-fraud and accounting activities.

Data shared with the MoR:
  - basic transaction and contract data (order ID, product/plan, price, currency, billing interval, VAT details),
  - customer details required for invoicing (name, company, billing address, VAT ID, business email), and
  - technical transaction references necessary to allocate payments to contracts.

Payment data (e.g. credit card numbers, account data, payment provider tokens) are processed directly by the MoR and/or its payment sub-processors; we do not receive full payment card details.

Legal bases: Art. 6(1)(b) GDPR (performance of the purchase contract) and Art. 6(1)(f) GDPR (fraud prevention, efficient settlement and accounting).  

Refunds for online purchases via the MoR are processed through the original payment method in accordance with our Embedded Wizard Refund Policy (EWRP) and the MoR's terms and privacy policy (e.g. https://fastspring.com/privacy/).

3.5 License validation, product activation & online product communication (Embedded Wizard)

Our Embedded Wizard products (e.g. Studio, ChoraC) may connect to our servers and services in order to:
  - validate and activate licenses and subscriptions,
  - check for and download updates or online resources, and
  - provide certain online product functions (e.g. documentation search, example or asset downloads, in-product notifications about important product changes).

Data exchanged in this context typically includes:
 - license and activation identifiers (license keys, activation tokens, account IDs),
 - product, edition and version information, feature flags, platform information,
 - technical identifiers such as hashed device or installation identifiers, operating system information, timestamps and IP address, and
 - where linked to an account, limited user metadata from the customer account (e.g. company, seat/user assignment).

Purpose: fulfil the license and subscription contracts, ensure license protection and product integrity, provide and improve product functionality and user experience, troubleshoot problems, ensure IT security, and prevent fraud and misuse.  

Legal bases: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interests in license protection, IT security, product quality and fraud prevention).  

We may, as described in Sections 3.3 and 3.4, use license and activation data in individual cases for license compliance checks, audits and the handling of refund/chargeback situations. We do not create marketing profiles from this data and do not use it for automated individual decision-making with legal or similarly significant effects.

3.6 Support services (tickets, email, remote sessions)

Role: For most support communication (e.g. tickets, email, phone) we act as controller. Where support involves accessing customer systems, builds or logs that may contain personal data of end users or employees, we act as processor under a DPA concluded with the customer.  

Data: contact and identification data (name, business contact details, company, role), ticket and communication content, diagnostic and log files, configuration exports, screenshots, sample projects; metadata about remote sessions (date/time, session ID, participants, duration) where used.  

Purpose: provide and document support and maintenance services under the EWTC, EWSA and the respective Order Form; analyse and resolve technical issues; improve product stability and support quality; defend against legal claims and document fulfilment of contractual obligations.  

Legal bases (where we act as controller): Art. 6(1)(b) GDPR (performance of support contracts), Art. 6(1)(f) GDPR (legitimate interests in effective support, quality assurance and defence against claims).  

Where we act as processor, the legal basis is determined by the customer's relationship with data subjects; we process personal data solely on the customer's documented instructions and in accordance with the DPA (including its TOMs and Subprocessor Annex). In case of discrepancies between this Privacy Policy and the DPA with a customer, the DPA prevails for such processing.

3.7 Newsletter & direct marketing

Data: name, business email, company, role, language, optional preferences; metadata about subscription status (opt-in/opt-out, time, IP address).  

Purpose: send newsletters and B2B marketing communications about Embedded Wizard products, features, events, promotions and related content; manage subscriptions; demonstrate consent where required by law.  

Legal bases:
  - Art. 6(1)(a) GDPR (consent) for newsletters and electronic marketing where required, and
  - for existing B2B customers, Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG (legitimate interests in promoting our own similar products and services), provided you have not objected.

You can withdraw your consent or object to receiving such communications at any time by using the unsubscribe link in our emails or by contacting us (see Section 11). This does not affect the lawfulness of processing based on consent before its withdrawal.

3.8 Optional use of third-party AI services (AI Connector)

Some Embedded Wizard products may offer optional integration with third-party AI services via an AI Connector. These features are entirely optional and can be disabled.

TARA does not operate its own AI model in this context and does not control the third-party AI provider's processing of your prompts or generated outputs. The third-party AI provider (for example, Anthropic PBC, the provider of the Claude API) acts as an independent controller for personal data that you submit to or receive from the AI service. Their terms of use and privacy policy apply in addition to this Privacy Policy and the EWLA.

Depending on your configuration and usage, the following categories of personal data may be processed in connection with the AI Connector:

- by TARA:
  - technical and usage metadata (e.g. feature flags, logs, error codes, timestamps, performance metrics),
  - license and account identifiers and configuration data necessary to enable and troubleshoot the connector, and
  - aggregated usage information to protect the service from abuse and to plan capacity;

- by the AI provider (e.g. Anthropic PBC):
  - the prompts and other content you send through the AI Connector (which may contain personal data if you choose to include such information),
  - the generated output returned by the AI service, and
  - technical and usage metadata related to the AI request and response.

Purpose (TARA): provide and maintain the AI Connector feature, ensure stability and security, prevent misuse (e.g. denial-of-service, credential abuse), and improve the integration from a technical perspective.

Purpose (AI provider): provide and improve the underlying AI services and fulfil their contractual obligations towards you or us, as described in their own terms and privacy notices.

Legal bases (TARA): Art. 6(1)(b) GDPR (performance of the software license contract, where the AI Connector is part of the licensed feature set) and Art. 6(1)(f) GDPR (legitimate interests in secure and reliable operation and prevention of abuse).

Legal bases (AI provider): are determined by the AI provider in its role as independent controller and may depend on your contractual relationship with that provider.

International transfers: When using Anthropic’s Claude API or other AI providers located outside the EU/EEA (for example in the United States), personal data may be transferred to such third countries. Where this is the case, the AI provider is responsible for ensuring an adequate level of protection, for example by participating in an adequacy scheme (such as the EU-U.S. Data Privacy Framework, if applicable) and/or by implementing Standard Contractual Clauses and additional safeguards.

Your responsibilities: Please do not use the AI Connector to submit special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) or other particularly sensitive information, and do not include personal data of third parties, unless you have a valid legal basis and have implemented appropriate safeguards under data protection law. You remain responsible for the lawfulness of the data you input into the AI service.

4. Recipients & international transfers
Within TARA, access to personal data is restricted to those teams and persons who need it for the purposes described in this Privacy Policy (e.g. development, support, sales, finance, operations).

We also use selected service providers (processors) and third-party tools. Where they act as processors on our behalf, we conclude data processing agreements in accordance with Art. 28 GDPR. Where providers act as independent controllers (e.g. social networks, payment providers, AI providers), their own privacy policies apply in addition.

Personal data may be transferred to countries outside the EU/EEA ("third countries") where:
  - this is necessary for the performance of a contract (e.g. cooperation with non-EU partners or the MoR),
  - you have explicitly consented, or
  - we use service providers in third countries.

In such cases we ensure an adequate level of data protection, for example by:
  - an adequacy decision of the European Commission (e.g. EU-U.S. Data Privacy Framework),
  - Standard Contractual Clauses (Art. 46(2)(c) GDPR) including supplementary safeguards where necessary, or
  - other appropriate safeguards provided by the GDPR.

You can request further information and copies of the relevant safeguards using the contact details in Section 11, to the extent this does not infringe on the rights and freedoms of others.

5. Processors, tools & roles
The following list gives an overview of relevant tools and providers we currently use in connection with Embedded Wizard. It may be updated from time to time; the current version of this Privacy Policy and, where applicable, the Subprocessor Annex to your DPA reflect the latest status.

Controllers providing tools integrated into the website (only with consent where required)
  - Google Ireland Limited (e.g. for embedded content or fonts) – Privacy policy available at https://policies.google.com/privacy
  - LinkedIn Ireland Unlimited Company (social plugins/buttons, embedded content) – Privacy policy available at https://www.linkedin.com/legal/privacy-policy

These providers generally act as independent controllers when you interact with their content. They may combine data with information from your profiles on their platforms.

Third-party AI providers (independent controllers)

  - Anthropic PBC (United States) – provider of the Claude API, which may be used for optional AI features accessed via the AI Connector in certain Embedded Wizard products. When you use such features, Anthropic processes the prompts and other content you submit, the generated output and related technical metadata as an independent controller under its own terms and privacy policy. International data transfers (e.g. to the United States) are governed by the safeguards implemented by Anthropic (such as participation in an adequacy scheme and/or the use of Standard Contractual Clauses). Privacy information: https://www.anthropic.com/privacy

Processors engaged by TARA as Controller (website, accounts, communication)
  - Hetzner Online GmbH (Germany/EU) – web hosting, infrastructure, storage. Data location: EU. Privacy information: https://www.hetzner.com/legal/privacy-policy/
  - Pipedrive OÜ and affiliated entities (EU/EEA & US) – CRM system for B2B sales and account management. Data location: EU/EEA with limited transfers to third countries where necessary, protected by appropriate safeguards (e.g. Data Privacy Framework/Standard Contractual Clauses). Privacy information: https://www.pipedrive.com/en/privacy
  - CleverReach GmbH & Co. KG (Germany/EU) – email marketing platform for newsletters and bulk B2B communication. Data location: EU. Privacy information: https://www.cleverreach.com/de/datenschutz/
  - Google Ireland Limited (Google Analytics 4) – analytics provider used with IP anonymisation and other privacy-enhancing settings. International transfers are protected by appropriate safeguards (e.g. Standard Contractual Clauses). Privacy information: https://policies.google.com/privacy

Processors engaged by TARA as Processor (support/remote, under DPA)
Where we act as processor under a DPA, we may use the following subprocessors for support, ticketing and remote access:
  - Zammad GmbH (Germany/EU) – support/ticketing platform used for managing support requests. Data location: EU; processing governed by DPA; privacy information: https://zammad.com/en/company/privacy
  - Hetzner Online GmbH (Germany/EU) – hosting provider for support infrastructure and artefacts (e.g. ticket data, diagnostic uploads). Data location: EU; processing governed by DPA; privacy information as above.
  - Optional remote support tools (e.g. screen-sharing/remote session solutions) – used only on explicit customer request and as documented in the DPA, including the applicable safeguards.

We update the public list of processors and tools when changes occur and, where required by law or contract, inform affected customers in advance, allowing reasonable time to object.

6. Retention & deletion
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as long as we have another valid legal basis (e.g. statutory retention periods, ongoing claims or disputes).

In particular:
  - Contract and accounting data (e.g. invoices, order records, license metrics relevant for billing) are generally kept for 6–10 years in accordance with commercial and tax law.  
  - Basic customer and contact data may be retained for the duration of the business relationship and a subsequent period where we have a legitimate interest (e.g. to maintain evidence of communications, manage long-term license or royalty models or defend against legal claims).  
  - Support tickets, diagnostic artefacts and remote session documentation are retained only as long as needed for the respective case and subsequent verification and then deleted, anonymised or archived with restricted access.  
  - Where processing is based on consent and you withdraw your consent, we will delete the relevant data unless another legal basis applies (e.g. statutory retention obligations).

Where we act as processor under a DPA, the retention, deletion and return of data are governed by that DPA; we follow the customer's lawful instructions.

7. Security
We implement appropriate technical and organisational measures ("TOMs") to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, where appropriate:
  - access controls and role-based authorisation,
  - strong authentication and, where possible, multi-factor authentication,
  - encryption in transit and, where reasonable, at rest,
  - segregation of environments and data,
  - backup and recovery concepts,
  - logging and monitoring of relevant systems, and
  - regular security reviews and awareness measures.

For processing where we act as processor, the applicable TOMs are documented in the DPA with the customer. Remote support sessions are only initiated at the customer's request; access is limited to authorised support personnel and sessions may be logged for security and accountability.

8. Your rights
Under the GDPR and applicable national law, you have the following rights with respect to your personal data, subject to the conditions and limitations in the law:
  - Right of access (Art. 15 GDPR) – to obtain confirmation whether we process personal data about you and information about such data.
  - Right to rectification (Art. 16 GDPR) – to have inaccurate personal data corrected and incomplete data completed.
  - Right to erasure (Art. 17 GDPR) – to request deletion of personal data, in particular where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and there is no other legal basis.
  - Right to restriction of processing (Art. 18 GDPR) – to request restriction of processing under certain conditions.
  - Right to data portability (Art. 20 GDPR) – to receive personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit that data to another controller where technically feasible.
  - Right to object (Art. 21 GDPR) – to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR; this includes, in particular, your right to object at any time to processing of your data for direct marketing purposes.

Where processing is based on your consent (Art. 6(1)(a) GDPR), you may withdraw your consent at any time with future effect by contacting us or using the provided opt-out mechanisms (e.g. unsubscribe link). The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, please contact us using the details in Section 11. We may need to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work or place of the alleged infringement. Our competent supervisory authority is typically the Bavarian Data Protection Authority; however, you are free to contact any competent authority.

9. Necessity of provision
Certain personal data are required to enter into and perform contracts with us or to provide specific features. For example:
  - we need contact and billing data to conclude and execute license and support agreements, issue invoices and manage subscriptions;
  - we need account and access data to provide secure access to downloads, portals and online services;
  - we need certain technical and license data to perform license validation and enable online product functions.

If you do not provide such data, we may not be able to conclude the contract, provide support or grant access to certain services. Where providing data is voluntary or based on consent (e.g. newsletter subscription), we will indicate this at the point of collection.

10. Children’s data
Our Embedded Wizard products and related services are intended for business users (B2B). We do not target children and do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take appropriate steps to delete such data without undue delay, unless we are legally obliged to retain it.

11. How to contact us
Controller:
  TARA Systems GmbH
  Gmunder Str. 53
  81379 Munich
  Germany

  Email: contact@embedded-wizard.de
  Website: https://www.embedded-wizard.de

For data protection matters, please contact us using the above details. If necessary, we will involve the appropriate internal or external data protection experts.

12. Updates to this Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities, legal requirements or best practices. The current version is available on our website and is identified by the Effective Date at the top.

Where changes are material and where required by law, we will inform you in advance via suitable channels (e.g. via our website, within the product or by email) and, where necessary, obtain renewed consent.

END OF POLICY