Privacy Policy

Controller

The controller within the meaning of Art. 4 no. 7 GDPR is:

Expanse UG (haftungsbeschränkt) & Co. KG Bavariastr. 15, 80336 München, Germany

Registered: Amtsgericht München, HRA 107329 · VAT ID: DE314197563 General partner: Kistner Management UG (haftungsbeschränkt), HRB 234250, Amtsgericht München Managing director: Hans-Peter Kistner

General enquiries: contact@thetaurus.com Privacy enquiries: privacy@thetaurus.com

Data protection officer

We have not appointed a data protection officer because the statutory thresholds in § 38 BDSG are not met: we do not regularly employ twenty or more persons engaged in the automated processing of personal data, we do not carry out processing that is subject to a mandatory data-protection impact assessment under Art. 35 GDPR, and we do not process personal data commercially for the purpose of transfer, anonymised transfer or market or opinion research.

For all data-protection matters you can reach us directly at privacy@thetaurus.com. We answer within the time limits of Art. 12(3) GDPR.

Binding language

The legally binding version of this privacy policy is the German text. The English version is provided for convenience and is a translation. In the event of any discrepancy, the German version prevails.

Scope

This policy applies to:

– the authenticated platform thetaurus.com, where sponsors and publishers of political advertising create, manage and publish transparency notices;

– the public register ttad.eu, which displays published transparency notices via QR-code lookup on a read-only basis;

– our email and support correspondence; and

– all pages, forms and features operated by us at those domains.

It does not apply to third-party websites that we link to. Those sites have their own privacy policies.

Categories of personal data we process

Depending on how you use our service, we process the following categories:

– Account data: name, email address, hashed password, organisation membership, role, preferred language, email-verification status.

– Transparency-notice content: legal name, address, email and registration details of sponsors, payers, controllers of the ad and publishers; campaign scope; placement period; amounts paid and benefits in kind; funding sources; targeting techniques and data sources; election linkage.

– Complaint data: contact data and free-text description provided by complainants via the Art. 15 EU 2024/900 mechanism, which may incidentally reveal political opinions.

– Billing data: billing address, VAT ID, subscription status, invoice history. Payment-card data is processed only by our payment provider — we never see the full card number.

– Usage and device data: IP address, browser user-agent, pages visited, time stamps, referring URL, language, approximate region derived from the IP address.

– Correspondence: emails you send us and our replies.

Personal data contained in a published transparency notice is made public by operation of Regulation (EU) 2024/900 and cannot be kept confidential; see s14.

Legal bases for processing

We rely on one or more of the following legal bases under Art. 6(1) GDPR, depending on the activity:

– lit. (a) consent — for non-essential cookies, product analytics and marketing analytics, and for any direct marketing by email;

– lit. (b) performance of a contract — for account creation, platform operation, billing and support;

– lit. (c) legal obligation — for publication and seven-year retention of transparency notices under Art. 12 + 13 of Regulation (EU) 2024/900, for retention of accounting records under §§ 147 AO / 257 HGB, and for responding to lawful authority requests;

– lit. (f) legitimate interests — for server-log analysis, security monitoring, abuse prevention, fraud prevention in billing, error monitoring, rate limiting and general product operation.

Where we rely on consent, you can withdraw it at any time with effect for the future. Withdrawal does not affect the lawfulness of processing already carried out. Where we rely on legitimate interests, you have a right to object under Art. 21 GDPR; see s8.

Where cookies or comparable technologies store information on or access information from your device, we rely on § 25 TTDSG. Essential cookies are used on the basis of § 25(2) no. 2 TTDSG; all other storage/access requires your prior consent obtained through our cookie banner.

Security of processing

We apply technical and organisational measures appropriate to the risk under Art. 32 GDPR. These include encryption in transit (TLS 1.2+) for all public traffic, encryption at rest for the production database, hashed passwords (bcrypt), principle-of-least-privilege access controls, audit logging of administrative actions, environment separation, regular dependency updates, rate limiting on authentication endpoints, and a documented incident-response procedure.

You are responsible for the security of your own access credentials. Please choose a strong, unique password and notify us at privacy@thetaurus.com without undue delay if you suspect that your account has been compromised.

Your rights

Subject to the conditions set out in the GDPR, you have the following rights in respect of personal data concerning you:

– Right of access (Art. 15 GDPR);

– Right to rectification (Art. 16 GDPR);

– Right to erasure / right to be forgotten (Art. 17 GDPR), subject to the seven-year statutory retention for published transparency notices;

– Right to restriction of processing (Art. 18 GDPR);

– Right to data portability (Art. 20 GDPR);

– Right to object to processing based on legitimate interests (Art. 21 GDPR) — if you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests;

– Right to withdraw consent at any time (Art. 7(3) GDPR).

To exercise any of these rights, please write to privacy@thetaurus.com. We may need to verify your identity before acting on the request. We respond within one month; the period may be extended by a further two months for complex or numerous requests, in which case we will inform you.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data-protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

The authority competent for our company is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de

International data transfers

We primarily process personal data within the European Economic Area. Where a processor or sub-processor is located outside the EEA, or where the support or infrastructure of an EEA-established processor may be routed through a third country, we rely on one of the following safeguards under Chapter V GDPR:

– an adequacy decision of the European Commission (Art. 45 GDPR), including, where applicable, the EU-US Data Privacy Framework for participating US organisations;

– Standard Contractual Clauses (Art. 46(2)(c) GDPR) combined with a transfer impact assessment and — where required — supplementary measures;

– your explicit consent (Art. 49(1)(a) GDPR) for specific occasional transfers.

A list of the processors we use and the safeguards applied is available on request at privacy@thetaurus.com.

Hosting and server log files

The platform is hosted with Netlify, Inc. Database services are provided by Prisma Data, Inc. (Prisma Postgres / Accelerate). Hosting is carried out on EU infrastructure where available; where US-based infrastructure is used, transfers are covered by the safeguards described in s10.

Each time a page is requested, the hosting infrastructure automatically records so-called server-log data: the IP address of the requesting device, the date and time of the request, the URL requested, the HTTP status, the amount of data transferred, the referrer and the user-agent string. This data is processed on the basis of Art. 6(1)(f) GDPR for the legitimate interest in operating, securing and troubleshooting the service. Server-log data is retained for up to fourteen days and then deleted or anonymised, unless a security incident requires a longer retention for investigation.

Cookies and comparable technologies

We use cookies and comparable technologies (local storage, session storage) to operate the service and, with your consent, to understand how the service is used.

Essential storage/access (§ 25(2) no. 2 TTDSG) — no consent required:

– authentication session cookie ("next-auth.session-token"), kept for the duration of the session plus up to 30 days;

– CSRF token cookie, session duration;

– language preference cookie ("NEXT_LOCALE"), up to 12 months;

– cookie-consent decision cookie, up to 12 months.

Non-essential storage/access — set only after you consent via the cookie banner:

– Google Analytics 4 (marketing analytics) — see s21;

– PostHog (product analytics) — see s20.

You can review and change your consent at any time via the "Cookie settings" link in the page footer. Withdrawal has effect for the future only.

Account registration and authentication

To use the authenticated features of the platform you must create an account. We process your email address, a bcrypt-hashed password, your name, chosen organisation and role. We send an email-verification link to the address you provided.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); email verification is also carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in platform integrity).

Account data is retained for the duration of the account relationship and deleted after termination, unless statutory retention periods (tax, accounting, published notices) require longer retention of specific records.

Transparency notices and the public register (TTAD)

The core product function is to prepare, publish and make publicly available transparency notices for political advertisements in accordance with Regulation (EU) 2024/900.

When you submit a transparency notice for publication, the content of that notice — including the legal name and contact details of the sponsor, the payer, the controller of the advertisement and the publisher, campaign information, amounts paid, funding sources and targeting information — is made available to the public on ttad.eu and, where applicable, via embedded links on the publisher's channels.

Legal basis: Art. 6(1)(c) GDPR in combination with Art. 12 of Regulation (EU) 2024/900. Publication and the seven-year retention under Art. 13 of that Regulation are mandatory and cannot be avoided by a request for erasure.

A right to restriction or erasure exists only in the narrow cases in which the statutory publication duty itself does not apply (for example, data published in error that is not actually required under Art. 12 of the Regulation). Requests are assessed case by case.

Complaint handling

We operate the complaint-intake mechanism required by Art. 15 of Regulation (EU) 2024/900 and, where applicable, Art. 20 of Regulation (EU) 2022/2065 (Digital Services Act).

When you submit a complaint about a transparency notice, we process your contact details and the content of your complaint in order to forward the complaint to the responsible publisher, to document handling and to comply with transparency and reporting obligations.

Complaints may incidentally reveal political opinions (special category under Art. 9(1) GDPR). In that case, the additional legal basis is Art. 9(2)(e) GDPR (data manifestly made public by the data subject) or Art. 9(2)(g) GDPR in conjunction with the specific public-interest task laid down in Regulation (EU) 2024/900.

Complaint records are retained for the duration of the related notice's retention period (seven years).

Payment processing — Stripe

Payments for Ensured subscriptions are processed by Stripe Payments Europe, Limited, 25/28 North Wall Quay, Dublin 1, Ireland. When you enter payment-card data, this data is transmitted directly to Stripe's PCI-DSS-compliant infrastructure; we do not see or store the full card number.

From Stripe we receive transaction metadata (amount, currency, status, last four digits of the card, country of issuer) which we use to manage your subscription and issue invoices.

Stripe acts as an independent controller for its own fraud-prevention and anti-money-laundering obligations; for the payment instruction itself, we and Stripe are linked by a processor/controller relationship under Art. 28 GDPR. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (invoicing and tax-law retention obligations). Stripe's privacy notice is available at https://stripe.com/privacy.

Transactional email — Resend

Transactional email (verification, password-reset, account and billing notifications, notice-related messages) is sent using Resend (Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA) or, as a fallback, via SMTP configured by us.

Your email address, the content and time of the message, and delivery metadata (delivery success, bounce, spam complaint) are processed for this purpose. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in reliable delivery).

International transfers to the United States are covered by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where the recipient is self-certified, by the EU-US Data Privacy Framework.

Error monitoring — Sentry

We use Sentry (Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) to detect and diagnose runtime errors in the platform. When an error occurs in the browser or on the server, a diagnostic report is sent to Sentry. We have configured Sentry to scrub personally identifiable information before transmission; residual data may include an IP address, a user-agent string, and the path of the request.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, secure service). International transfer safeguards: SCCs and, where applicable, the EU-US Data Privacy Framework. Reports are retained by Sentry for up to ninety days.

Rate limiting and abuse prevention — Upstash

To protect login, registration and write endpoints against brute-force and abuse, we use Upstash Redis (Upstash, Inc., 350 Cambridge Ave, Palo Alto, CA 94306, USA). We store a short-lived counter keyed to an IP-address hash or account identifier, with a time-to-live typically not exceeding one hour.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security). International transfer safeguards: SCCs.

Product analytics — PostHog

Subject to your consent (§ 25(1) TTDSG and Art. 6(1)(a) GDPR), we use PostHog (PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA — EU region endpoint) to understand how the authenticated platform is used, in order to improve it.

PostHog receives pseudonymous event data (for example: "step completed", "notice published"), a device identifier stored in a first-party cookie, a hashed user ID once you log in, and technical context (IP, user-agent, page URL, referrer). IP addresses are truncated / anonymised.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via the cookie-settings link in the footer. International transfer safeguards: SCCs and, where applicable, the EU-US Data Privacy Framework. Data is retained by PostHog for up to twelve months.

Marketing analytics — Google Analytics 4

Subject to your consent (§ 25(1) TTDSG and Art. 6(1)(a) GDPR), we use Google Analytics 4, a service operated by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and its affiliate Google LLC.

Google Analytics sets cookies and uses device identifiers to analyse use of our public marketing pages, to measure the effectiveness of advertising campaigns and to improve user experience. IP addresses are anonymised (IP masking). We have enabled data-retention and deletion defaults that are appropriate to our purposes.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time via the cookie-settings link in the footer; alternatively, you can prevent the use of cookies by installing the Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout).

International transfer safeguards: for transfers to Google LLC in the US we rely on the EU-US Data Privacy Framework (Art. 45 GDPR). Google's privacy policy is available at https://policies.google.com/privacy.

AI-assisted drafting — Anthropic

Where you use optional AI-assisted drafting inside the notice wizard, the text you enter into the assisted field is transmitted to Anthropic PBC, 548 Market Street PMB 90375, San Francisco, CA 94104, USA (via its API) in order to generate suggestions. The response is returned to you inside the wizard; you can accept, edit or discard it.

Anthropic processes the prompt and response as a processor under Art. 28 GDPR and, under its commercial API terms, does not use customer inputs or outputs to train its models.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in providing authoring assistance). International transfer safeguards: SCCs. We recommend that you do not paste personal data of third parties into AI-assisted fields beyond what is needed for the transparency notice itself.

Contact and support correspondence

When you contact us by email or through a contact form, we process the data you provide (name, email address, message content and any attachments) in order to respond to your enquiry and handle any resulting contractual or pre-contractual relationship.

Legal basis: Art. 6(1)(b) GDPR (pre-contract / contract) or Art. 6(1)(f) GDPR (legitimate interest in handling enquiries). Correspondence is retained for as long as necessary to process your enquiry and, where the enquiry gave rise to a business relationship, in accordance with statutory retention obligations.

Storage periods

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law. In particular:

– Account data — duration of the account relationship, plus statutory retention where applicable.

– Published transparency notices and associated records — seven years after the end of the publication period (Art. 13 Regulation (EU) 2024/900). This period cannot be shortened by erasure request.

– Invoices and accounting records — ten years (§ 147 AO, § 257 HGB).

– Server logs — up to fourteen days, unless retained longer for the investigation of a security incident.

– Rate-limit counters — up to one hour.

– PostHog product-analytics events — up to twelve months.

– Error reports (Sentry) — up to ninety days.

After the applicable period, data is deleted or anonymised.

Automated decision-making and profiling

We do not carry out automated decision-making with legal or similarly significant effect on you within the meaning of Art. 22(1) GDPR. AI-assisted drafting suggestions (s22) are proposals that require your review and explicit acceptance; they do not make decisions on your behalf.

Changes to this privacy policy

We may update this privacy policy to reflect changes to our processing activities, to the services we use, or to legal requirements. The current version is always available at https://thetaurus.com/en/privacy and https://thetaurus.com/de/privacy, together with the date of the last update.

Material changes will be announced inside the platform and, where appropriate, by email to registered users at least 30 days before they take effect.