This is an English courtesy translation. Only the German version is legally binding.
Privacy Policy
Transparent and GDPR-compliant data processing at AntragPlus
Our security standards
GDPR-compliant
Full compliance with the European General Data Protection Regulation for all of your data – including data erasure, the right of access, and purpose limitation.
Servers in Germany
All personal data is stored and processed exclusively on servers in Germany – certified and securely hosted.
Encrypted
End-to-end encryption for sensitive data – both in transit and at rest.
Privacy Policy (GDPR)
Controller responsible for data processing:
Data protection officer:
Purposes of processing
- Operation and provision of the “AntragPlus” SaaS platform
- Creation, management, and export of grant applications
- User management, billing, and support
- Communication with customers (e.g. email, notifications)
- Fulfilment of statutory retention and record-keeping obligations
Legal bases
- Art. 6(1)(b) GDPR (performance of a contract)
- Art. 6(1)(c) GDPR (legal obligation)
- Art. 6(1)(f) GDPR (legitimate interest, e.g. IT security)
- Art. 6(1)(a) GDPR (consent, e.g. cookies, newsletter)
Data collected
- Registration and contact data (name, organisation, email, payment information)
- Project data (uploaded documents, created applications, financial reports)
- System and usage data (IP address, browser, log files)
Disclosure to third parties and processors
Hosting and infrastructure:
- Netlify (servers in the EU) - website hosting
- Neon (servers in the EU) - database and backend
- AWS (servers in Frankfurt) - cloud infrastructure
Payment processing:
- PayPal (PayPal Europe S.à r.l. et Cie, S.C.A., Luxembourg)
- Stripe (Stripe Payments Europe Ltd., Ireland)
Email delivery:
- Resend (for transactional emails)
- Mailchimp (for newsletters, only with consent)
Analytics services (only with consent):
- Google Analytics 4 (anonymised IP addresses)
- Hotjar (user behaviour, anonymised)
International data transfers
EU/EEA processing: Your data is processed primarily within the EU/EEA (Germany, Ireland, Luxembourg).
Third countries: In individual cases, data processing takes place in third countries (USA) with the following services:
- Google Analytics (USA) - only with consent
- Hotjar (Malta/USA) - only with consent
Safeguards: Standard contractual clauses of the EU Commission, adequacy decisions, or comparable guarantees pursuant to Art. 44-49 GDPR.
Retention period
- Contract data: during the term of the contract + statutory retention period (6–10 years)
- Project data: until deleted by users or until the contract ends
- Log files: max. 14 days
Your rights as a data subject
Right of access (Art. 15 GDPR)
Right to obtain information about the personal data processed
Right to rectification (Art. 16 GDPR)
Right to have inaccurate data corrected
Right to erasure (Art. 17 GDPR)
Right to have personal data erased
Right to restriction (Art. 18 GDPR)
Right to restriction of processing
Data portability (Art. 20 GDPR)
Right to have your data transferred
Right to object (Art. 21 GDPR)
Right to object to the processing
Right to lodge a complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information)
Friedrichstr. 219, 10969 Berlin
Phone: +49 30 13889-0
Email: [email protected]
Exercising your rights
To exercise your rights, please contact: [email protected]
Automated decision-making and AI processing
AI-assisted grant analysis: Our platform uses artificial intelligence to automatically analyse and suggest funding programmes.
Processing logic: Algorithms analyse your project data and match it against available funding programmes.
Significance: Automated suggestions for suitable grants based on the information you provide.
Your rights: You have the right to human review, to express your point of view, and to contest the decision pursuant to Art. 22 GDPR.
Website features and data processing
Contact form
Data processed: Name, email address, organisation, message content
Purpose: Handling your enquiry and communication
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Retention period: 3 years after the communication has concluded
Job applications (careers page)
Data processed: Name, email address, phone number (optional), LinkedIn/portfolio link (optional), message/motivation, and the position you are applying for
Purpose: Conducting the application procedure and communicating with you
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) in conjunction with Section 26(1) BDSG (initiation of an employment relationship)
Retention period: Erasure no later than 6 months after the application procedure has concluded, unless you have consented to longer storage (e.g. talent pool)
Newsletter sign-up
Data processed: Email address, name (optional)
Purpose: Sending information about grants and product updates
Legal basis: Art. 6(1)(a) GDPR (consent)
Double opt-in: Confirmation via a separate link required
Unsubscribing: At any time via the link in every email or by emailing us
User accounts and platform use
Data processed: Registration data, project information, usage behaviour
Purpose: Provision of the SaaS features, project management, support
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
Retention period: During the term of the contract + statutory retention periods
Cookies & tracking technologies
Essential cookies (no consent required)
- Session cookies for login and user navigation
- Security cookies for CSRF protection
- Functional cookies for language settings
Analytics cookies (only with consent)
- Google Analytics 4: Website analytics, anonymised IP addresses
- Hotjar: User behaviour and heatmaps, anonymised
- Retention period: 14 months (Google Analytics), 12 months (Hotjar)
Marketing cookies (only with consent)
- Retargeting pixels for targeted advertising
- Social media plugins (LinkedIn, Twitter)
- Conversion tracking for advertising campaigns
Managing cookie settings
You can adjust your cookie settings at any time via our cookie banner or in your browser settings.
Note: Disabling certain cookies may limit the functionality of the website.
Data security and technical measures
Encryption: All data transmissions take place via SSL/TLS encryption (HTTPS).
Access control: Strict authentication and authorisation for all system access.
Data protection by design: Minimising data collection to what is necessary.
Regular updates: Continuous security updates and penetration tests.
Data protection impact assessment: Regular assessment of data protection risks.
As of: December 2025