Privacy Policy

Last updated: 4 June 2026

This English version is a convenience translation. In case of discrepancies, the German version of this policy prevails.

This policy explains how personal data is processed when you visit getsamla.de or use the Samla service. References to the GDPR (General Data Protection Regulation, EU 2016/679) and the German BDSG apply.

1. Controller

(1) The controller within the meaning of Art. 4 (7) GDPR is:

LOHN24 EXPERTS GmbH
Nunsdorfer Ring 15
12277 Berlin
Germany
Email: kontakt@getsamla.de
Phone: +49 30 6840881-500

(2) The data protection officer can be reached at: David Schramm, 0xda7a consulting GmbH, Nunsdorfer Ring 15, 12277 Berlin, email: lohn24-experts@privacy.0xda7a.com.

2. Categories of data processed

(1) Depending on how you interact with us, we process the following categories of personal data:

  • Access data when you visit the website: IP address, date and time of request, requested URL, referrer, user agent.
  • Account data if you create an account: email address, hashed authentication tokens, login timestamps.
  • Contract and billing data for paid plans: name, billing address, company name, VAT-ID, payment metadata received from our payment processor.
  • Submission data within the Samla product: form values and uploaded files that you or your respondents transmit through a Samla bucket.
  • Communication data when you contact us: name, email address, content of your message.

(2) For Submission data, the customer operating a bucket is the controller; LOHN24 EXPERTS GmbH acts as processor in this regard (see Section 7).

3. Purposes and legal bases

We process personal data for the following purposes on the legal bases stated:

  • Providing the website and the Samla service - Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual steps).
  • Operational security, abuse prevention, log retention - Art. 6 (1) (f) GDPR (legitimate interest in a secure, working service).
  • Billing and bookkeeping - Art. 6 (1) (b) and (c) GDPR (legal obligations under German commercial and tax law, in particular §§ 147 AO, 257 HGB).
  • Magic-link authentication emails - Art. 6 (1) (b) GDPR.
  • Marketing communication, if applicable - only on the basis of consent, Art. 6 (1) (a) GDPR. Consent may be withdrawn at any time.

4. Cookies and similar technologies

We use a strictly necessary session cookie (samla_session) to keep you logged in. No cookies are set for marketing or analytics purposes without your consent.

5. Server log files

When you access the website, our hosting provider automatically records data in server log files. This data is not merged with other data sources and is deleted after at most 30 days, unless retention is required to investigate a specific security incident.

6. Recipients and processors

(1) We engage the following categories of processors under data processing agreements pursuant to Art. 28 GDPR:

  • Hosting and infrastructure providers within the EU.
  • Email delivery service for transactional emails (login links, notifications).
  • Payment service provider (Stripe Payments Europe Ltd., Ireland) for checkout, billing, and subscription management. Card data never reaches our servers.
  • Software development and operations (0xda7a consulting GmbH, Berlin), which develops the Samla software and administers the servers on which it runs (see Section 6.1).

(2) A list of currently engaged sub-processors is available on request.

6.1 Software development, operations and error monitoring (0xda7a)

(1) The Samla software is developed by 0xda7a consulting GmbH (Nunsdorfer Ring 15, 12277 Berlin). 0xda7a also administers the servers of LOHN24 EXPERTS GmbH on which Samla runs. In the course of operation, maintenance and troubleshooting, 0xda7a may therefore access system, log and error data and, in that context, personal data processed within the service - including customer submission data. This takes place as a processor under a data processing agreement pursuant to Art. 28 GDPR, bound by instructions and confidentiality; the data stays within Germany and is not disclosed to any third party.

(2) For error and stability monitoring we use Sentry, an open-source platform for error and performance monitoring, run as a self-hosted instance at sentry.0xda7a.com operated by 0xda7a. Sentry processes technical request data (e.g. requested URL, referrer, browser and operating system) and error context. In addition, only when an error occurs, a short session replay of the affected interaction is recorded (e.g. mouse movements, clicks and page interactions) to help reproduce the fault. Form inputs are masked and are not recorded; no analytics or marketing tracking takes place.

(3) The legal basis is Art. 6 (1) (f) GDPR - our legitimate interest in a stable, secure and user-friendly service that is continuously developed and maintained.

7. Samla as a processor for customers

(1) When you operate a Samla bucket and respondents submit data to that bucket, LOHN24 EXPERTS GmbH acts as a processor within the meaning of Art. 28 GDPR.

(2) You are the controller in that case and remain responsible for the lawful basis, the information provided to data subjects, and the response to data-subject requests. You can generate a data processing agreement (DPA / AVV) at /account.

8. International transfers

Submission data is stored within the European Union. Where a service provider necessarily processes data outside the EU/EEA (e.g. Stripe), the transfer is safeguarded by Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR and, where applicable, the EU-US Data Privacy Framework.

9. Retention

We store personal data only for as long as necessary for the respective purposes:

  • Server log files: up to 30 days.
  • Account data: for the duration of the account, plus statutory retention obligations.
  • Contract and billing data: 10 years (§ 147 AO) or 6 years (§ 257 HGB), starting from the end of the relevant calendar year.
  • Submission data: according to the retention setting of the customer's bucket. Without an explicit instruction we follow the contractual default.

10. Your rights

(1) Subject to the statutory requirements, you have the right to:

  • access (Art. 15 GDPR),
  • rectification (Art. 16 GDPR),
  • erasure (Art. 17 GDPR),
  • restriction of processing (Art. 18 GDPR),
  • data portability (Art. 20 GDPR),
  • objection (Art. 21 GDPR),
  • withdrawal of consent at any time, with effect for the future (Art. 7 (3) GDPR).

(2) Please send requests to kontakt@getsamla.de.

(3) You also have the right to lodge a complaint with a supervisory authority. The competent authority for our registered office is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59–61, 10555 Berlin.

11. Changes to this policy

We may update this policy to reflect changes in our service or in applicable law. The current version is always available at https://getsamla.de/privacy.