Legal document Legal document

Privacy Policy

Version 2026-02-09 · Valid from 2026-02-09

Back to shop Download PDF

Privacy notice for the online shop and demo requests

1. Controller

Benjamin Wenzel SoluForge (sole proprietorship)

Owner: Benjamin Wenzel

Kolonnenstraße 8, 10827 Berlin, Germany

Email (privacy): privacy@craftifact.com

2. Scope

This privacy notice applies to personal data processing in the Craftifact online shop, including demo requests and demo lifecycle handling.

  • contract conclusion and checkout,
  • payment processing,
  • invoicing,
  • contract and customer management,
  • demo request review and abuse prevention.

It does not apply to the marketing website or general SaaS usage outside the shop and demo process.

Privacy notices for other offerings:

3. Data processed

  • name of the authorized representative,
  • business email address,
  • company name,
  • billing and payment information,
  • contract and subscription data,
  • transaction data,
  • demo lifecycle audit metadata (account reference, instance reference, public IPv4 address, event timestamps).

4. Purposes of processing

  • concluding and fulfilling subscriptions,
  • payment processing,
  • invoicing and accounting,
  • manual demo approval and support communication,
  • abuse prevention, platform security, and forensic investigations,
  • legal obligations.

5. Legal bases

  • Art. 6(1)(b) GDPR,
  • Art. 6(1)(c) GDPR,
  • Art. 6(1)(f) GDPR.

6. Payment service providers

External payment service providers are used for payment processing. They process payment and transaction data under their own responsibility. SoluForge generally does not receive complete payment details (for example, credit card numbers).

7. Retention

  • contract and billing data: up to 10 years,
  • other purchase-related communication data: up to 6 years,
  • demo request/session metadata: up to 7 days if unused; for started demos until cleanup at demo end,
  • demo-only billing profile data and demo subscription data: deleted after demo cleanup unless required for an active paid contract,
  • IdP account data: not deleted automatically at demo end; deletion is handled manually by support on request,
  • demo abuse-forensics audit metadata (including public IPv4 and event timestamps): up to 1 year.

8. Recipients

  • internal personnel bound to confidentiality,
  • payment service providers,
  • IT and hosting providers as processors under Art. 28 GDPR.

9. Third-country transfers

Transfers to third countries only take place under the conditions of Art. 44 et seq. GDPR. There are currently no third-country transfers.

10. Data subject rights

Rights under Art. 15–21 GDPR. The right to object applies where processing is based on Art. 6(1)(f) GDPR.

11. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. For Berlin:

Berlin Commissioner for Data Protection and Freedom of Information

Alt-Moabit 59–61

10555 Berlin

12. Data security

Appropriate technical and organizational measures are used.