savien
Back to Legal

savien Legal

Privacy Policy

Information on the processing of personal data.

Public

Last updated: 2026-05-12

This Privacy Policy explains how personal data is processed when using savien, our website and our B2B SaaS application.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

savien Sole proprietorship Meierberger Str. 14, 31737 Rinteln Germany

Email: datenschutz@savien.io

2. Data Protection Officer

No Data Protection Officer has currently been appointed because, based on the current assessment, there is no statutory obligation to appoint one. The relevant provisions include Art. 37 GDPR and Section 38 German Federal Data Protection Act (BDSG). This assessment will be revisited if the scope, type or organisation of processing changes, in particular if at least 20 persons are regularly and permanently involved in automated processing of personal data or if a data protection impact assessment becomes necessary.

Privacy requests may be sent to datenschutz@savien.io.

3. Purpose of savien

savien is a B2B platform for collaboration between merchants, suppliers and their employees. The application supports in particular:

  • Registration, login, roles and team management.
  • Supplier and customer connections.
  • Product catalogues, items, prices and stock information.
  • Orders, deliveries, shipments, goods receipts and returns.
  • Comments, documents, notifications and email templates.
  • Billing and subscription management.
  • Optional ERP integration, currently in particular BillBee.
  • Support, security, error analysis, platform operations and misuse prevention.

4. GDPR Roles

For data we process ourselves to provide and manage the service, we act as controller within the meaning of Art. 4(7) GDPR. This includes in particular account, contract, billing, support, security, website and operational data.

For content and business data that customers process in savien for their own supply chain processes, we generally act as processor within the meaning of Art. 28 GDPR. Details are governed by our Data Processing Agreement.

Customers remain responsible for their own content and the lawfulness of their processing, in particular for data relating to their employees, suppliers, merchants, contact persons and other business partners. Where customers invite other companies or users to savien, they must ensure that the invitation and transmitted data are lawful.

Pure company data is not personal data. It may become personal data where it relates to identified or identifiable natural persons, such as contact persons, sole proprietors, roles, email addresses or communication content.

5. Categories of Personal Data

Depending on usage, we process the following categories:

  • Master data: name, company, role, customer number, language, time zone.
  • Contact data: email address, telephone number, business address.
  • Authentication data: user ID, password hash, login status, email verification, MFA status, session data.
  • Team and permission data: roles, invitations, company assignment, platform administrator status.
  • Contract and billing data: plan, subscription status, Stripe customer ID, invoice and payment information.
  • Supply chain and order data: suppliers, merchants, items, SKUs, prices, orders, shipments, tracking, received quantities, discrepancies, returns.
  • Communication data: comments, notifications, email templates, contact form and support requests.
  • Documents and files: uploaded order, delivery, product or other B2B documents and metadata.
  • Integration data: BillBee username, API credentials, SKU mappings and API test results.
  • Usage and security data: IP address, user agent, timestamps, logs, error data, audit events, rate-limit data, page views of logged-in users.
  • Technical data: cookies, session cookies, local storage data, device and browser information, performance and web-vitals data.

6. Purposes and Legal Bases

Account, Authentication and Security

Purpose: registration, login, email verification, password reset, MFA, session management, role checks, protection against misuse. Legal basis: Art. 6(1)(b) GDPR for contract performance, Art. 6(1)(f) GDPR for legitimate security interests, Art. 6(1)(c) GDPR for legal obligations.

Provision of the B2B Platform

Purpose: management of merchant/supplier relationships, orders, catalogues, shipments, documents, comments and notifications. Legal basis: Art. 6(1)(b) GDPR where we provide contractual services; Art. 28 GDPR where we process customer data on behalf of the customer.

Team Management and Invitations

Purpose: inviting employees, suppliers and merchants, assigning them to company accounts and permissions. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. The legitimate interest lies in B2B collaboration and secure access management.

Billing and Payment Management

Purpose: subscription management, checkout, payment processing, invoices, fraud and misuse prevention. Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR for statutory commercial and tax obligations, Art. 6(1)(f) GDPR for receivables management and misuse prevention.

Email Communication

Purpose: transactional emails, security emails, invitations, password reset, notifications and support responses. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. Marketing emails are sent only in accordance with Section 7 German Unfair Competition Act, in particular with consent or within legally permissible existing-customer communication.

Contact Form, Support and Customer Communication

Purpose: handling demo, sales, support, privacy, security or legal requests. Legal basis: Art. 6(1)(b) GDPR for pre-contractual or contractual communication and Art. 6(1)(f) GDPR for general request handling and documentation.

Support, Error Analysis and Operations

Purpose: support handling, troubleshooting, auditing, monitoring, security, backup and recovery. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Internal Usage and Page-View Tracking

Purpose: product improvement, identifying frequently used areas, support, security and misuse analysis. The application may internally store page paths of logged-in users together with user ID. Admin and API paths are excluded. Legal basis: Art. 6(1)(f) GDPR. The legitimate interest lies in operation, security and improvement of the platform. Where tracking is required for contractual functionality, Art. 6(1)(b) GDPR also applies.

Vercel Analytics and Speed Insights

Purpose: measuring page views, technical performance and web vitals to improve stability, load times and product quality. Technical information such as path, time, referrer, browser/device information, approximate location or network data and performance values may be processed. Legal basis: Art. 6(1)(f) GDPR for technical and operational analysis. Where non-essential terminal-device access, cookies or similar technologies are used, they are used only with consent based on Section 25(1) TDDDG and Art. 6(1)(a) GDPR.

Optional Integrations

Purpose: connection with third-party providers such as BillBee, synchronisation of SKUs and stock levels. Legal basis: Art. 6(1)(b) GDPR and Art. 28 GDPR where we act on behalf of the customer. Activation is performed by the customer.

Legal Obligations and Enforcement

Purpose: statutory retention, responding to authority requests, enforcing and defending legal claims. Legal basis: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR.

7. Recipients and Service Providers

We use service providers that process personal data on our instructions, on the basis of their own statutory obligations or as independent controllers. These include in particular:

  • Supabase: authentication, PostgreSQL database, storage, realtime.
  • Vercel: hosting, deployment, edge/serverless infrastructure, logs, Web Analytics, Speed Insights.
  • Stripe: payment processing, subscription management, invoices; depending on the processing, Stripe may also act as independent controller.
  • Resend: transactional email delivery.
  • BillBee: optional ERP integration where activated by the customer; depending on configuration, BillBee may act as independent controller or processor of the customer.
  • Further technical service providers as listed in the current Subprocessor List.

The current Subprocessor List is available at /unterauftragsverarbeiter or documented in unterauftragsverarbeiter.md.

Personal data may also be disclosed to authorities, courts, tax advisers, legal advisers or other recipients where legally required or necessary to enforce rights.

8. International Data Transfers

savien can be used worldwide. Personal data may therefore be processed outside the EU/EEA, in particular where service providers, support processes or users are located outside the EU/EEA.

For international transfers, we use appropriate safeguards under Chapter V GDPR, in particular:

  • Adequacy decisions of the European Commission, where available.
  • EU Standard Contractual Clauses pursuant to Art. 46 GDPR.
  • Additional technical and organisational safeguards where required.
  • The EU-US Data Privacy Framework where a US provider is certified accordingly.

Customers processing data from other jurisdictions in savien are responsible for reviewing local transfer and privacy requirements to the extent they go beyond EU/German law.

9. Retention Periods

We store personal data only as long as necessary for the respective purposes.

  • Account data: for the duration of the user account and thereafter according to statutory obligations or legitimate interests.
  • Contract and billing data: generally according to statutory commercial and tax retention periods, often six or ten years.
  • Customer data in the platform: while the customer uses the service or until deletion under the contract/DPA.
  • Invitation and token data: for a limited period as technically provided.
  • Error, security and usage logs: generally limited; concrete periods may vary depending on system and security needs.
  • Backups: for the defined backup period and then automatic overwriting/deletion.
  • Support and contact requests: as long as required for handling, traceability and legal interests.

Specific periods may vary depending on contract, plan, backup configuration and statutory obligations.

10. Cookies, Local Storage and Similar Technologies

savien uses technically necessary cookies and similar storage technologies, in particular for login, session, security, language settings and service delivery.

Access to information on terminal devices in Germany is governed in particular by Section 25 TDDDG. Technically necessary storage may rely on Section 25(2) No. 2 TDDDG. Where we use non-essential cookies, analytics, marketing or tracking technologies, we obtain prior consent where legally required.

Details are set out in cookie-hinweise.md.

11. Security

We implement technical and organisational measures pursuant to Art. 32 GDPR, in particular access controls, role and permission models, encryption, row-level security, private storage buckets for documents, MFA support, logging, backups and remediation processes.

Details are set out in technische-und-organisatorische-massnahmen.md.

12. Data Subject Rights

Data subjects have the following rights under the GDPR, among others:

  • Access under Art. 15 GDPR.
  • Rectification under Art. 16 GDPR.
  • Erasure under Art. 17 GDPR.
  • Restriction of processing under Art. 18 GDPR.
  • Data portability under Art. 20 GDPR.
  • Objection under Art. 21 GDPR.
  • Withdrawal of consent with effect for the future.
  • Complaint to a supervisory authority under Art. 77 GDPR.

Requests may be sent to datenschutz@savien.io. Where we process data on behalf of a customer, we generally forward requests to the relevant customer or assist the customer in handling them.

13. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent authority may in particular be the authority at the controller's place of establishment or the data subject's place of residence.

For savien at its Rinteln location, the following authority may be relevant:

Die Landesbeauftragte fuer den Datenschutz Niedersachsen Prinzenstr. 5 30159 Hannover Website: https://www.lfd.niedersachsen.de Email: poststelle@lfd.niedersachsen.de

14. Obligation to Provide Data

Certain data is required for registration, contract conclusion, platform use and billing. Without this data, we may be unable to provide savien in whole or in part.

15. Automated Decision-Making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects within the meaning of Art. 22 GDPR. Automated notices, prioritisation, alerts or status calculations serve platform functionality and can be reviewed by users.

16. Minors

savien is directed at businesses and professional users. Use by minors is not intended.

17. Changes to this Privacy Policy

We may update this Privacy Policy if features, service providers or legal requirements change. The current version will be made available in the application or on the website.