Autaxo Privacy Policy
Last updated: July 2, 2026
Translation notice
This English version is provided for convenience only. The German Privacy Policy is legally authoritative and prevails in the event of any discrepancy.
Introduction and overview
In this Privacy Policy, GOBERU SOLUTIONS UG (haftungsbeschränkt), hereinafter “we,” “us” or “Autaxo,” informs you pursuant to Articles 13 and 14 of the General Data Protection Regulation (“GDPR”) about the processing of personal data when you visit our website, contact us or use our Software-as-a-Service platform.
This policy applies to autaxo.de, the associated product pages and the garage.autaxo.de platform to the extent that we act as controller there. A supplementary privacy policy containing Studio-specific information applies to autaxo.studio.
Important distinction concerning processing on behalf of customers
When our customers process personal data relating to their own end customers, employees, suppliers or other third parties in Autaxo, we generally act as a processor within the meaning of Article 28 GDPR. In that case, the Data Processing Agreement (“DPA”), including the annexes concerning technical and organizational measures (“TOMs”) and subprocessors, takes precedence. This Privacy Policy primarily describes how we process data relating to website visitors, prospects, customers and users as an independent controller.
We provide the current DPA at /downloads/autaxo_avv.pdf. Subprocessors may vary depending on the module booked and integrations enabled.
Controller
The controller within the meaning of Article 4(7) GDPR is:
GOBERU Solutions UG (haftungsbeschränkt)
c/o Julian Alessio Goßen
Kiefernstraße 25
45525 Hattingen
Germany
Represented by: Julian Alessio Goßen
Commercial register: Local Court of Essen, HRB 36889
VAT ID: DE454764286
Email: kontakt@autaxo.de
Please send data-protection inquiries to datenschutz@autaxo.de.
Data processing when you visit our website
Hosting, delivery and security
Our website and individual API endpoints are delivered using Firebase Hosting and Google Cloud. The provider is Google Cloud EMEA Ltd., Dublin, Ireland. For server-side functions, we use Google Cloud/Firebase in the europe-west3 (Frankfurt am Main) region in particular, where technically configured.
- Data processed: IP address, date and time, URL accessed, referrer, HTTP headers, user agent, error logs and security logs.
- Purpose: Website delivery, system security, prevention of misuse, troubleshooting and availability.
- Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is the secure and high-performance operation of our online services.
- Retention: Log data is stored only for as long as required for security, troubleshooting and traceability and is then deleted or anonymized unless statutory obligations prevent this.
Contact, forms and communication
When you contact us by email, contact form, telephone, support request or messenger, we process the information you provide in order to handle your inquiry.
- Data: Name, company, contact details, message content, technical metadata and any attachments you provide.
- Purpose: Responding to your inquiry, taking steps before entering a contract, support and documentation.
- Legal basis: Article 6(1)(b) GDPR where the inquiry relates to a contract; otherwise Article 6(1)(f) GDPR.
- Service providers: We primarily use Google Workspace and Mailjet/Sinch for email and communication. If individual legacy or special forms are technically operated through Formspree, Formspree is used as the form service provider.
- Retention: Inquiries are deleted after final processing unless statutory retention periods or legitimate documentation interests prevent deletion.
Appointment booking with Google Calendar
We may use Google Calendar Appointment Schedules for demo and consultation appointments. When you book, Google processes the information required for the booking, such as your name, email address, selected appointment, time zone and any additional form details. The legal basis is Article 6(1)(b) or Article 6(1)(f) GDPR.
Contact through WhatsApp and other messengers
If you contact us through WhatsApp or a comparable messenger, we process your phone number, profile details, message content and communication metadata to handle your inquiry. WhatsApp is provided by Meta. For confidential information or personal customer data, please preferably use email or the designated Platform functions.
Embedded content and media
Our website may embed videos through YouTube or YouTube-Nocookie, maps, calendar widgets or external links. When you access such content, personal data may be transmitted to the respective provider. Where technically possible, we use privacy-conscious embeds and load marketing or analytics functions only after you consent.
Cookies, local storage and tracking
We use technically necessary cookies and local storage to provide our website, store your cookie preference and enable security functions. We use analytics and marketing technologies only with your consent.
- Technically necessary storage: Section 25(2) of the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale- Dienste-Datenschutz-Gesetz, “TDDDG”); where personal data is processed, Article 6(1)(f) or Article 6(1)(b) GDPR.
- Analytics and marketing: Section 25(1) TDDDG and Article 6(1)(a) GDPR. You may withdraw your consent at any time with future effect.
- Consent storage: Your selection is stored locally in your browser under
the
cookie-consentkey.
Analytics and marketing services used
- Google Tag Manager, Google Analytics 4 and Google Ads: Audience measurement,
campaign measurement, conversion tracking and Consent Mode. The providers are Google Ireland
Ltd. and/or Google LLC. On autaxo.de we use, in particular, GTM container
GTM-KMC8PBKVand GA4 propertyG-353ZQGL6N4. - Meta Pixel: Measurement and optimization of campaigns on Meta platforms.
The provider is Meta Platforms Ireland Ltd.; pixel ID
958054909902734. - TikTok Pixel: Measurement and optimization of TikTok campaigns. The provider
is TikTok Technology Limited and/or affiliated TikTok companies; pixel ID
D6OS253C77UCRHPRJU30.
These providers may also process data for their own purposes, such as aggregation, security, prevention of misuse or improvement of their services. Details appear in the respective providers’ privacy and data-processing terms.
Withdraw consent
You can reset your cookie choice here. The consent banner will appear again after the page reloads.
Data processing when using the Autaxo Platform
Allocation of roles
We process account, contract, billing, support, security and usage data relating to our customers and Authorized Users as an independent controller. We generally process content that customers handle on the Platform for their own business transactions as a processor under the DPA.
Categories of data
- Customer and contract data: Name, company, address, email address, telephone number, VAT ID, plan, contract status and billing data.
- User data: Names, email addresses, roles, permissions, login events and security events concerning Authorized Users.
- Customer Data on the Platform: Vehicle, customer, supplier, contract, invoice, tax, document, image and communication data that customers upload, enter or generate.
- AI and integration data: Prompts, image files, vehicle data, metadata, API requests, tokens or status information as required for enabled AI functions or interfaces.
- Log and diagnostic data: IP addresses, timestamps, device and browser data, API calls, error logs and security events.
Purposes and legal bases
- Provision, operation and security of the Platform: Article 6(1)(b) and (f) GDPR.
- Contract administration, billing and support: Article 6(1)(b) GDPR.
- Compliance with commercial, tax and corporate-law obligations: Article 6(1)(c) GDPR.
- Troubleshooting, prevention of misuse, product improvement and capacity planning: Article 6(1)(f) GDPR.
- Processing Customer Data on behalf of the Customer: Article 28 GDPR in conjunction with the DPA and the Customer’s instructions.
AI functions
Depending on the module, Google Gemini/Vertex AI and specialized providers such as fal.ai may be used for AI-assisted functions such as document and receipt recognition, text assistance, image enhancement or background and showroom generation. Only the input, attachments, images, prompts, metadata and output required for the respective function are processed.
We do not use Customer Data to train public AI models. Data is used for training or model optimization only in anonymized or aggregated form or with the Customer’s prior express consent, to the extent legally permissible.
Optional interfaces
If you enable interfaces, data may be transmitted at your request to third-party providers or platforms. These may include mobile.de, AutoScout24, tax and government services, Google and Microsoft email and calendar services through Aurinko, and social-media or posting integrations through Zernio. The respective recipients generally act as independent controllers for their subsequent processing.
Recipients, processors and subprocessors
We disclose personal data only where required to provide a service, required by law, supported by a legitimate interest or covered by your consent. We conclude agreements under Article 28 GDPR with processors. The subprocessor list in the DPA annex is the contractually authoritative list for customers.
Core service providers
- Google Cloud EMEA Ltd./Google Cloud: Hosting, Firebase, Cloud Functions, databases, storage, logging, monitoring and, where applicable, Vertex AI/Gemini.
- Google Ireland Ltd./Google Workspace: Email, calendar, office and support communication.
- Sinch/Mailjet: Transactional email delivery and forwarding of form inquiries.
- VINCARIO s.r.o.: VIN queries and vehicle-data enrichment.
- fal.ai: AI-assisted image and media processing where the corresponding functions are used.
- Aurinko/Yoxel, Inc.: Optional connection to email, calendar, contact or task APIs, particularly Google and Microsoft.
- ZERNIO SOFTWARE SL: Optional social-media, posting and API integrations.
- Formspree: Form processing only to the extent individual forms or legacy systems are still technically operated through the service.
Payment service providers as independent controllers
We use external payment service providers. They generally process payment data as independent controllers or under their own regulatory responsibility. We do not receive full credit-card details or bank-account login credentials, but receive payment status, invoice information and contract information.
- Stripe: Stripe Payments Europe, Ltd., Dublin, Ireland.
- PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg.
The legal basis is Article 6(1)(b) GDPR for payment processing and, where relevant, Article 6(1)(f) GDPR for fraud prevention, receivables management and proof of payment.
Transfers to third countries
We prefer European providers and European storage locations where technically and economically possible. Nevertheless, internationally operating service providers, support cases, security analyses, AI functions or enabled interfaces may involve transfers to, or processing from, countries outside the EU/EEA.
- Adequacy decision: For US providers certified under the EU-US Data Privacy Framework, the adequacy decision may provide the basis for transfer.
- Standard Contractual Clauses: Where required, we use EU Standard Contractual Clauses and supplementary safeguards.
- At your request: An optional integration may also cause a transfer because you enable a third-party provider or actively export data.
Retention
We store personal data only for as long as required for the respective purpose.
- Contact inquiries: Until final processing and subsequently in accordance with statutory retention or limitation periods.
- Contract and billing data: During the contract term and thereafter as required by statutory retention obligations, particularly under the German Commercial Code (HGB) and Fiscal Code (Abgabenordnung, “AO”), generally for up to 10 years.
- Platform data processed on behalf of customers: In accordance with the DPA, contract and Customer instructions; after Contract End, generally deleted or returned within the agreed periods unless statutory obligations prevent this.
- Logs and security data: For as long as required for security, troubleshooting, prevention of misuse and traceability.
- Consent information: Until withdrawal, reset in the browser or expiry of the technical storage period.
Your rights
Subject to the statutory requirements, you have the following rights:
- Access under Article 15 GDPR
- Rectification under Article 16 GDPR
- Erasure under Article 17 GDPR
- Restriction of processing under Article 18 GDPR
- Data portability under Article 20 GDPR
- Objection under Article 21 GDPR to processing based on Article 6(1)(e) or (f) GDPR
- Withdrawal of consent with future effect under Article 7(3) GDPR
To exercise your rights, simply email datenschutz@autaxo.de.
You also have the right to lodge a complaint with a data-protection supervisory authority, particularly the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, which is the supervisory authority responsible for us.
We do not carry out automated decision-making, including profiling, within the meaning of Article 22 GDPR.
Data security
We use technical and organizational measures under Article 32 GDPR to protect personal data against loss, manipulation, unauthorized access and other risks. These measures include TLS encryption, role-based access controls, administrator access with multi-factor authentication, logging, backup and recovery concepts, authorization concepts, service- provider reviews and contractual confidentiality obligations.
Changes to this Privacy Policy
We update this Privacy Policy when legislation, providers, functions or processing operations change. The current version is available on this page.
Last updated: July 2, 2026 (Version 1.3)