Suppify

Privacy Policy

Last updated: April 10, 2026

1. Controller and Contact

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection legislation is:

Personalized Nutrition Systems GmbH
Rosental 4
53332 Bornheim
Germany

Email: info@suppify.io

If you have any questions regarding data protection, please contact us by email.

2. Hosting and Technical Provision

This website is hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Vercel provides the technical infrastructure, including Content Delivery Network (CDN) and server log files. Content is primarily delivered via Vercel's European Edge Network.

When you access our website, the hosting provider automatically collects information in server log files that your browser transmits automatically. This includes: IP address, browser type and version, operating system, referrer URL, hostname of the accessing device, and time of the server request.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our website).

3. Contact Form

When you contact us via the contact form on our website, the following data is collected:

  • Name
  • Email address
  • Message content
  • Company name (if applicable)

The contact request is transmitted via Nodemailer (SMTP). The data is used exclusively to process your inquiry and is not shared with third parties.

Legal basis: Article 6(1)(b) GDPR (performance of pre-contractual measures at the request of the data subject).

Retention period: Your contact inquiry is stored for 6 months and subsequently deleted, unless a further business relationship arises.

4. Cookies and Consent Management

Our website uses cookies. Cookies are small text files that are stored on your device by your browser.

Consent Management Platform (CMP)

We use Cookiebot as our Consent Management Platform to obtain and manage your consent for data processing. When you visit our website, a cookie banner informs you about data processing and allows you to grant or refuse consent.

Essential Cookies

The following cookies are technically necessary for the operation of the website:

  • Session cookies (for website functionality)
  • Language preference cookie (to store your language selection)

Legal basis for essential cookies: Article 6(1)(f) GDPR (legitimate interest in the technical functionality of the website).

All other cookies (marketing, analytics) are only set with your explicit consent. Legal basis: Article 6(1)(a) GDPR (consent).

5. Marketing and Analytics (Consent Required)

If you have granted consent via our Consent Management Platform, we use the following services:

Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags. Google Tag Manager itself does not set cookies or collect personal data. It serves as a tool to trigger other tags, which may in turn collect data.

Google Analytics

We use Google Analytics (Google Ireland Limited) for statistical analysis of website usage. IP anonymization is enabled, meaning your IP address is truncated within the EU/EEA before transmission. Data transfers to the USA are carried out on the basis of the EU-US Data Privacy Framework (DPF).

Google Ads Remarketing

We use Google Ads Remarketing (Google Ireland Limited) to display personalized advertisements to you within the Google advertising network after visiting our website. Data transfers to the USA are carried out on the basis of the EU-US Data Privacy Framework (DPF).

Meta Pixel (Facebook)

We use the Meta Pixel (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland) to measure the effectiveness of our Facebook advertising campaigns and to create target audiences for advertisements. Data transfers to the USA are carried out on the basis of the EU-US Data Privacy Framework (DPF).

TikTok Pixel

We use the TikTok Pixel (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland) to measure and optimize our TikTok advertising campaigns. Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF).

Klaviyo

We use Klaviyo (Klaviyo, Inc., 225 Franklin Street, Boston, MA 02110, USA) for email marketing and behavioral analytics on our website. Data transfers to the USA are carried out on the basis of the EU-US Data Privacy Framework (DPF).

Legal basis for all aforementioned services: Article 6(1)(a) GDPR (consent). You may withdraw your consent at any time via the cookie settings.

6. Newsletter (Klaviyo)

If you subscribe to our newsletter, we use Klaviyo (Klaviyo, Inc., 225 Franklin Street, Boston, MA 02110, USA) for sending and managing our newsletter.

Double Opt-In

We use a double opt-in procedure. This means that after your registration, you will receive a confirmation email and your subscription is only completed after you confirm the link contained therein.

Data Collected

  • Email address (required)
  • Name (optional)

Tracking

Klaviyo records open rates and click rates of sent newsletters in order to optimize content. This data is evaluated in aggregate form only.

Unsubscribe: You may unsubscribe from the newsletter at any time by using the unsubscribe link at the end of each newsletter or by contacting us by email.

Legal basis: Article 6(1)(a) GDPR (consent).

7. Third-Party Integrations

Tokenize.it (Investment Widget)

Our website embeds an investment widget from Tokenize.it. When loading this widget, data may be transmitted to Tokenize.it. For further information, please refer to the privacy policy of Tokenize.it.

Google Fonts

We use Google Fonts exclusively self-hosted via next/font. No external requests to Google servers are made. Accordingly, no personal data is transmitted to Google.

8. Data Transfers to Third Countries

Some of the service providers we use are based in the USA. Data transfers are carried out on the following bases:

EU-US Data Privacy Framework (DPF)

Google, Meta, Klaviyo, and other providers are certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection pursuant to an adequacy decision of the European Commission.

Standard Contractual Clauses (SCCs)

As a fallback mechanism and for providers not certified under the DPF, we use the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR.

TikTok

Data transfers to TikTok are carried out on the basis of Standard Contractual Clauses (SCCs) together with a Transfer Impact Assessment (TIA) to evaluate the level of data protection in the recipient country.

9. Data Subject Rights

Under the GDPR, you have the following rights:

  • Right of access (Article 15 GDPR): You have the right to obtain information about whether and which personal data we process about you.
  • Right to rectification (Article 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data.
  • Right to erasure (Article 17 GDPR): You may request the deletion of your personal data, provided the legal requirements are met.
  • Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of processing of your data.
  • Right to data portability (Article 20 GDPR): You have the right to receive your data that you have provided to us in a structured, commonly used, and machine-readable format.
  • Right to object (Article 21 GDPR): You may object at any time to the processing of your personal data based on Article 6(1)(f) GDPR.

Withdrawal of consent: If you have given us consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out on the basis of the consent prior to its withdrawal.

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Postfach 20 04 44
40102 Duesseldorf, Germany
www.ldi.nrw.de

10. Retention Periods

We retain personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations:

  • Server log files: 30 days
  • Contact inquiries: 6 months
  • Marketing cookies: As specified in Cookiebot
  • Newsletter data: Until unsubscription

11. Currency and Amendments

This privacy policy is currently valid as of 10 April 2026. We reserve the right to amend this privacy policy to reflect changes in legal requirements or changes to our data processing activities. The current version is always available on our website.