Privacy Policy | merkaio

Last updated: March 2026

1. Privacy at a Glance

Scope

This privacy policy applies to the websites merkaio.com, portal.merkaio.com, birdhost.de, chirphost.de, thingshost.de and panelhost.de as well as all associated services and subdomains (collectively referred to as "our websites").

General Information

The following information provides a simple overview of what happens to your personal data when you visit our websites or use our services. Personal data is any data that can be used to personally identify you.

Data Collection on Our Websites

Who is responsible for data collection?

Data processing is carried out by the website operator: merkaio, represented by Timo Wevelsiep, Max-Liersch-Anger 13, 59457 Werl, Germany. Email: [email protected]

Data Protection Officer

The appointment of a data protection officer is not legally required for our company. For data protection inquiries, please contact us directly at [email protected].

How do we collect your data?

Your data is collected when you provide it to us (e.g., via the contact form). Other data is automatically collected by our IT systems when you visit the website (technical data such as browser, operating system, or time of page access).

What do we use your data for?

Data is collected to ensure error-free provision of the website and to process your inquiries.

2. Hosting

Hetzner

We host our website with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. For details, see Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy

Cloudflare

We use Cloudflare as a Content Delivery Network (CDN) and to secure our website. Cloudflare may set technically necessary cookies. Provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Data transfers to the USA are based on the EU-US Data Privacy Framework. Cloudflare is certified under the Data Privacy Framework.

SSL/TLS Encryption

Our websites use SSL/TLS encryption for security reasons. An encrypted connection is indicated by the browser address bar changing from "http://" to "https://" and by the lock icon in your browser bar. When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Server Log Files

The hosting provider automatically collects and stores information in server log files that your browser automatically transmits. These are:

Browser type and version
Operating system used
Referrer URL
Hostname of the accessing computer
IP address (anonymized/truncated)
Time of the server request

This data is not merged with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – for this purpose, server log files must be collected. Log files are automatically deleted after 7 days.

3. Web Analytics with Umami

We use the privacy-friendly web analytics tool "Umami" on our website to statistically record the use of our website and to evaluate it for the purpose of optimizing our offering. Umami is open-source software that we operate ourselves on our own servers in Germany.

Type and Scope of Data Processing

Umami only collects anonymized usage data without using cookies. No personal data is stored and no tracking across different websites takes place. IP addresses are not stored or processed. Only the following anonymized information is collected:

Pages visited and time spent
Browser type and operating system used
Device type (desktop, tablet, mobile)
Country of origin (without IP storage)
Referrer (which website you came from)

Legal Basis

The legal basis for using Umami is our legitimate interest in statistical analysis of user behavior for optimization purposes pursuant to Art. 6(1)(f) GDPR. Since Umami does not collect personal data and works completely without cookies, no consent is required.

4. Cookies

This website only uses technically necessary cookies. No tracking or marketing cookies are used. The technically necessary cookies are required for the website to function and cannot be disabled.

5. Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide, will be stored by us for the purpose of processing the inquiry and for follow-up questions.

We use Cloudflare Turnstile for spam protection. No personal data is stored, only a token for verification is created.

6. Google Ads Conversion Tracking

When you reach our website via a Google ad, a click ID (gclid) assigned by Google is read from the URL and stored in your browser's local storage (localStorage). This click ID is used exclusively to attribute an inquiry or registration to the original ad (conversion measurement).

No cookies are set and no tracking pixels are loaded. The click ID is not transmitted to Google – attribution is performed exclusively server-side via the Google Ads API. No cross-device tracking takes place.

Legal Basis

The storage of the click ID is based on our legitimate interest in measuring the effectiveness of our advertising pursuant to Art. 6(1)(f) GDPR. The storage in localStorage is permissible without consent under § 25(2)(2) TDDDG (German Telecommunications Digital Services Data Protection Act), as it is necessary to provide the service expressly requested by the user.

7. Customer Portal & Registration

Through our customer portal (portal.merkaio.com), you can register, select a service plan and manage your managed hosting instance. During registration and use of the portal, the following data is collected:

Name and company name
Email address
Password (stored exclusively as a cryptographic hash)
Selected service plan and configuration

Legal Basis

Processing of this data is carried out for contract performance pursuant to Art. 6(1)(b) GDPR. The data is required to provide and manage the managed hosting service for you.

Cookies in the Portal

The customer portal uses technically necessary session and authentication cookies to maintain your login. These cookies are required for the use of the portal and cannot be disabled. No tracking or marketing cookies are used.

8. Payment Processing with Stripe

We use Stripe for payment processing. The provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

During payment, the following data is transmitted to Stripe:

Email address
Billing address
Payment data (e.g., credit card number, expiry date, CVV)
Order information (plan, amount, currency)

Your payment data is processed and stored in tokenized form directly by Stripe. We never have access to your complete card details. Stripe is PCI DSS Level 1 certified – the highest security standard in the payment industry.

Legal Basis

Processing is carried out for contract performance pursuant to Art. 6(1)(b) GDPR. Stripe privacy policy: https://stripe.com/privacy

9. Data Retention & Deletion

We store your data only as long as necessary for the respective purposes:

Account data: Stored as long as your account exists, and promptly removed after account deletion.
Invoice and payment data: 10 years after the end of the calendar year of invoicing (commercial and tax law retention obligations under German law, § 147 AO, § 257 HGB).
Contract data: 3 years after the end of the contract (standard limitation period under § 195 BGB).

You can request the deletion of your account at any time by emailing [email protected]. After deletion, your personal data will be removed unless legal retention obligations apply.

10. Your Rights

As a data subject, you have the following rights:

Right to information about your personal data (Art. 15 GDPR)
Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR)

If you have questions about data protection, you can contact us at any time: [email protected]