Privacy policy
As of June 2026. This privacy policy applies to the website verwalto.xhub.io (marketing) and the SaaS application app.verwalto.xhub.io. We treat your personal data confidentially and in accordance with statutory data protection regulations.
1. Controller
Controller within the meaning of the GDPR: BeeBack UG (haftungsbeschränkt) Scheffelstrasse 20A 60318 Frankfurt am Main Germany Email: datenschutz@xhub.io Managing Director: Patrick Jerominek We have not appointed an external data protection officer, as we do not meet the legal requirements for doing so (§ 38 BDSG).
2. General information
We process your personal data exclusively on the basis of statutory provisions — in particular the GDPR, the German Federal Data Protection Act (BDSG) and the TDDDG. Personal data is any data that can be used to identify you personally (e.g. name, email address, IP address).
3. Role regarding customer data (processing on behalf)
For the personal data of owners, tenants and other data subjects that management companies enter into our software, the management companies themselves are controllers within the meaning of Art. 4(7) GDPR. In this respect we are a processor under Art. 28 GDPR and process this data exclusively on their instructions on the basis of the data processing agreement (DPA). This privacy policy describes the processing for which we are the controller — the marketing website and our own business operations. The full DPA and the technical-organizational measures are available at verwalto.xhub.io/avv and /tom.
4. Hosting
This website is hosted exclusively in Germany. Hosting provider: Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen Germany We have concluded a data processing agreement with Hetzner pursuant to Art. 28 GDPR. The servers are located in the data center sites in Falkenstein and Nuremberg.
5. Server logs
When you access our pages, our hosting provider automatically collects information transmitted by your browser: – IP address (shortened after 7 days) – date and time of the request – page accessed and amount of data transferred – HTTP status code and referrer URL – browser type/version and operating system Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable IT security). Retention: 7 days.
6. Cookies
We use cookies in three categories: – Necessary cookies are technically required, e.g. to store the language setting and the cookie consent itself (§ 25(2) TDDDG together with Art. 6(1)(f) GDPR). – Analytics cookies are only set with your consent. Specifically, we use Google Analytics 4. Without consent, Google Consent Mode defaults to 'denied' — no analytics cookies (_ga, _ga_*) are set (Art. 6(1)(a) GDPR together with § 25(1) TDDDG). – We currently do not use marketing cookies. You can withdraw your consent at any time via the footer link 'Cookie settings'.
7. Consent cookie
We set a technically necessary cookie named hvxhub_consent containing your consent choice (necessary always on, analytics yes/no) and a timestamp. Retention: 180 days. Without this cookie we would have to show you the cookie banner again on every page view.
8. Contacting us
If you contact us by email or via the contact form, we process the submitted data (name, email, management company, number of units, message) to handle your request. The notification to our inbox is handled via Resend (Resend, Inc.) as a processor; no permanent contact list is stored at the provider. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or (f). Retention: until the request is resolved, longer where statutory retention obligations apply (e.g. § 257 HGB).
9. Fonts
We use the fonts 'Geist' and 'Outfit'. These are bundled locally at build time and served from our own server (next/font). No data is transferred to Google when you visit our site.
10. Google Analytics 4 (only with consent)
For anonymized reach measurement we use Google Analytics 4, a service of Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). The tool only loads after your consent in the cookie banner and is set to 'denied' via Google Consent Mode until then. Processing may involve transfers to Google LLC in the USA, safeguarded by the EU-US Data Privacy Framework and standard contractual clauses. You can withdraw consent at any time via 'Cookie settings'; any _ga cookies are then removed. Legal basis: Art. 6(1)(a) GDPR together with § 25(1) TDDDG.
11. Resend (email delivery)
For sending contact-form notifications we use Resend (Resend, Inc.) as a processor. A data processing agreement is concluded with Resend.
12. Payment service provider
For paid use of the application, a payment service provider (e.g. Stripe Payments Europe Limited, Dublin, Ireland) is used, with whom a data processing agreement exists. Legal basis: Art. 6(1)(b) GDPR.
13. Data security
This website and the application use TLS 1.3 encryption ('https://'). Sensitive data in the database is additionally encrypted AES-256 at rest. We implement appropriate technical and organizational measures (TOM) pursuant to Art. 32 GDPR — see verwalto.xhub.io/tom.
14. Data subject rights
You have the following rights at any time: – access (Art. 15 GDPR) – rectification (Art. 16) – erasure (Art. 17) – restriction of processing (Art. 18) – data portability (Art. 20) – objection (Art. 21) – withdrawal of consent (Art. 7(3)) To exercise your rights, an informal email to datenschutz@xhub.io is sufficient.
15. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit Postfach 31 63 65021 Wiesbaden datenschutz.hessen.de
16. Retention
Personal data remains with us until the purpose of processing no longer applies. We then delete it without undue delay, unless statutory retention periods (e.g. 10 years under § 257 HGB / § 147 AO) apply.
17. Changes to this privacy policy
We update this privacy policy occasionally to reflect changes to our services or legal requirements. The current version is always available on this page.