Skip to content
Back to homepage

Privacy Policy

Last updated: 2026-04

1. Data Controller, Scope and Target Audience

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states is:

Headgent GmbH
Heinrich-Peiffer-Straße 5
41540 Dormagen
Germany
Email: info@headgent.com
Commercial register: Local Court (Amtsgericht) Neuss, HRB 24129
VAT ID: DE321303256

This privacy policy applies to the websites jardis.io and docs.jardis.io as well as to the online services of Headgent GmbH accessible through them (collectively the “website” or “Jardis”).

B2B offering: Jardis is directed exclusively at entrepreneurs within the meaning of § 14 of the German Civil Code (BGB), legal entities under public law and special funds under public law. The offering is not intended for consumers within the meaning of § 13 BGB and not for persons under the age of 18. We do not intentionally process personal data of children within the meaning of Art. 8 GDPR.

Data protection officer: The appointment of a data protection officer is not legally required for Headgent GmbH (§ 38 BDSG) and has not been made. For any data protection enquiries, please use the contact details provided above.

2. General Information on Data Processing

We process personal data of our users only to the extent necessary to provide a functional website as well as our content and services. Processing of personal data takes place only with the user's consent or on the basis of one of the following legal grounds:

  • Art. 6 (1) lit. a GDPR: consent of the data subject.
  • Art. 6 (1) lit. b GDPR: necessity for the performance of a contract or for pre-contractual measures.
  • Art. 6 (1) lit. c GDPR: compliance with a legal obligation.
  • Art. 6 (1) lit. f GDPR: legitimate interests, provided that the interests, fundamental rights and freedoms of the data subject do not override them.

Personal data is deleted as soon as the purpose of storage no longer applies and no statutory retention obligations conflict with deletion. Automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place.

In addition to this privacy policy, the use of the Jardis Builder is governed by our Terms of Service.

3. Provision of the Website and Server Log Files

Each time our website is accessed, our system automatically records data and information from the computer system of the requesting device. The following data is collected:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the file accessed
  • Volume of data transferred and HTTP status code
  • Referrer URL (previously visited page)
  • Browser type and version
  • Operating system

Storage in log files takes place to ensure the functionality and security of the website, in particular to prevent and analyse attacks on our IT systems, to diagnose errors and to ensure stable operation. Log files are anonymised or deleted after 14 days at the latest, unless further retention is required for evidentiary purposes (e.g. in the event of security incidents).

Legal basis: Art. 6 (1) lit. f GDPR. Our legitimate interest lies in IT security, the prevention and analysis of attacks and the stable, error-free operation of our services.

4. Frontend Hosting via Vercel

The frontend of our websites jardis.io and docs.jardis.io is delivered via the infrastructure of Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA (hereinafter “Vercel”). Vercel operates a global content delivery network; requests are generally served via European edge locations, but processing in the USA cannot be ruled out.

When you access the website, Vercel processes in particular your IP address, user agent, timestamp and requested URL. This processing is technically necessary to deliver the content and to ensure the stability and security of the website.

Third-country transfer to the USA: As Vercel is based in the USA, personal data is transferred to a third country within the meaning of the GDPR. The transfer is based on the adequacy decision of the European Commission under the EU-US Data Privacy Framework (Art. 45 GDPR); Vercel Inc. is certified under the EU-US Data Privacy Framework. In addition, we have concluded EU standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR and a data processing agreement pursuant to Art. 28 GDPR with Vercel. Despite these safeguards, a level of data protection fully comparable to that of EU law cannot be guaranteed in the USA; in particular, access by US authorities cannot be entirely ruled out.

For further information, please refer to the Vercel Privacy Policy.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in a performant, globally available and secure delivery of the website) in conjunction with Art. 44 et seq., Art. 45 and Art. 46 GDPR.

5. Backend Hosting via Hetzner

Our application backends (including user account management, API key validation and waitlist processing) are operated in data centres of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner. No personal data is transferred to third countries as part of the backend hosting.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in a technically error-free and secure provision of our services).

6. Cookies and Comparable Technologies

Our website does not use any cookies that would require consent under Section 25 (1) TDDDG. The language version you select (DE/EN) is reflected via the URL structure (/de/, /en/) and is not stored in a cookie.

Where strictly necessary storage technologies (e.g. session storage in the logged-in area of the Jardis Builder) are used, they are indispensable for the operation of the respective service and fall within the exemption of Section 25 (2) no. 2 TDDDG. We do not use any marketing, tracking or profiling cookies. The web analytics service Umami (see Section 7) operates entirely without cookies and without recognition features.

Legal basis: Section 25 (2) no. 2 TDDDG and Art. 6 (1) lit. f GDPR.

7. Web Analytics with Umami Cloud

On jardis.io and docs.jardis.io we use the web analytics tool Umami Cloud to statistically analyse the use of our service and to improve our content. The provider is Umami Software, Inc., USA. jardis.io and docs.jardis.io are tracked separately under their own site IDs.

Umami is a privacy-friendly analytics service designed according to the privacy-by-design principle. In particular:

  • no cookies or comparable recognition features are set,
  • no full IP addresses are stored,
  • no personal profiles or cross-device recognition is created,
  • no data is shared with third parties for advertising or marketing purposes.

We collect anonymised usage data such as pages viewed, referrer source, rough geographical information at country level, browser and device type, and screen resolution. Due to the salting and hashing techniques applied by Umami, in our assessment identification of individual persons is not possible.

Third-country transfer to the USA: As Umami Cloud is operated by a provider based in the USA, connection data (in particular the IP address in the context of the request) is transferred to a third country within the meaning of the GDPR. The transfer takes place on the basis of the EU standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR. Despite these safeguards, a level of data protection fully comparable to that of EU law cannot be guaranteed in the USA.

For further information, please refer to the Umami Privacy Policy.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in the needs-based design and statistical analysis of our website) in conjunction with Art. 44 et seq., Art. 46 GDPR. Due to the complete anonymisation and the absence of cookies, consent under Section 25 TDDDG is not required.

8. Contact by Email

You may contact us at the email address provided. In this case, the personal data transmitted with the email (at least your email address, and possibly your name and any further voluntary information) will be stored. The processing serves exclusively to handle your enquiry. The data will be deleted as soon as it is no longer required for the purpose of its collection and no statutory retention obligations apply.

Legal basis: Art. 6 (1) lit. b GDPR if the enquiry is directed at the conclusion or performance of a contract, otherwise Art. 6 (1) lit. f GDPR (legitimate interest in responding to enquiries).

9. Waitlist and Pre-Registration

On our website we offer the possibility to sign up for a waitlist in order to be informed about the availability of the Jardis Builder. For this purpose we process the email address you provide as well as the time of your sign-up.

The purpose of the processing is exclusively to notify you about the product launch and product-related information in connection with the market launch. The email address is not used for any other advertising purposes.

The technical processing takes place via our n8n automation operated on our Hetzner infrastructure in Germany. The submitted data is then transferred to a Google Sheets document (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; with data processing by Google LLC in the USA). Google is certified under the EU-US Data Privacy Framework; in addition, we have concluded EU standard contractual clauses.

The provision of your email address is voluntary. You can withdraw your consent at any time with effect for the future, either via the unsubscribe link in every email we send or by message to info@headgent.com. Following a withdrawal, or at the latest 30 days after the public launch of the Jardis Builder, your data will be deleted unless it has been converted into a regular account relationship.

Legal basis: Art. 6 (1) lit. a GDPR (consent) in conjunction with Art. 7 GDPR; for the third-country transfer Art. 44 et seq., Art. 45 and Art. 46 GDPR.

10. Jardis Builder: Account and Authentication

Use of the Jardis Builder requires the creation of a user account. As part of registration and the subsequent contractual relationship, we process the following data:

  • Name
  • Email address
  • Password (stored only as a salted hash)
  • API key for authenticating the local builder
  • where applicable, billing data and VAT ID (see Section 12: payment processing)

The provision of the data listed above is required for the conclusion and performance of the user contract. Without this information, we are unable to provide the Jardis Builder. There is no legal obligation to provide the data; failure to provide it merely has the consequence that no contract is concluded.

The processing serves the provision of the service, authentication, management of the user account and performance of the contract. The data is stored for the duration of the contract. After termination, the account is retained for a transitional period of 30 days to allow users to export their data. Personal data is then deleted unless statutory retention obligations apply. Invoicing and accounting data is retained for 10 years pursuant to Section 147 AO and for 6 years pursuant to Section 257 HGB.

Legal basis: Art. 6 (1) lit. b GDPR (performance of contract) and Art. 6 (1) lit. c GDPR (compliance with statutory retention obligations).

11. Jardis Builder: Local Execution and API Key Validation

The Jardis Builder is built according to the principle of privacy by design: the actual code generation and processing takes place exclusively locally on the developer's machine.

Customer data, source code, domain models, business logic and the contents of your projects never leave your machine and are not transmitted to our servers or to any third party at any time. No telemetry or transmission of project content to Headgent GmbH or to third parties takes place.

A connection to our servers is established only in the following narrowly defined case: for so-called Platform Builds, the builder transmits your API key and an anonymous run counter to our servers at Hetzner in Germany for the purpose of licence validation and usage-based billing. Specifically, the following data is processed:

  • API key (for authentication)
  • Run counter (anonymous counter, no content reference)
  • Timestamp of the request
  • Technically required connection data (e.g. IP address as part of the TCP/IP connection)

The contents of the build, generated code, project data or any other payload are not part of this transmission.

Legal basis: Art. 6 (1) lit. b GDPR (performance of contract, in particular licence validation and usage-based billing) and Art. 6 (1) lit. f GDPR (legitimate interest in protection against misuse of our services).

12. Payment Processing via Polar (Merchant of Record)

For the processing of paid orders, we use the payment service provider Polar (Polar Software Inc., 2261 Market Street #4438, San Francisco, CA 94114, USA, hereinafter “Polar”).

Polar acts as a so-called Merchant of Record (MoR). This means that Polar carries out the payment processing in its own name and on its own account. With regard to the payment data, Polar is not a processor of Headgent GmbH but an independent controller within the meaning of Art. 4 no. 7 GDPR. The civil-law role of Polar and the relationship with Headgent GmbH as the licensor are set out in our Terms of Service.

In the course of payment processing, the following data is in particular transmitted to or collected directly by Polar:

  • Name
  • Email address
  • Billing address
  • VAT ID, where applicable
  • Payment data (credit card number, IBAN etc.; collected directly in the PCI-DSS-compliant environment of Polar or its payment service providers and not shared with us)
  • Order data (selected product, amount, time of order)

Third-country transfer to the USA: As Polar is based in the USA, personal data is transferred to a third country within the meaning of the GDPR. To our current knowledge, Polar Software Inc. is not certified under the EU-US Data Privacy Framework. The transfer therefore takes place exclusively on the basis of the EU standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR. Despite these safeguards, a level of data protection comparable to that of EU law cannot be guaranteed in the USA; in particular, access by US authorities on the basis of FISA 702 and Executive Order 12333 cannot be entirely ruled out.

For further information on data processing by Polar, please refer to the Polar Privacy Policy.

Legal basis: Art. 6 (1) lit. b GDPR (performance of contract), Art. 6 (1) lit. c GDPR (legal obligations) and Art. 44 et seq. GDPR in conjunction with Art. 46 GDPR for the third-country transfer.

13. Polar Webhooks and Data Reconciliation

As part of the payment and subscription management, Polar transmits event and customer data to our backend at Hetzner in Germany via so-called webhooks. In this way, we receive information about account creation, successful payments, subscription changes, cancellations and refunds. The data processed includes customer name, email address, order and subscription data and a Polar-internal customer ID.

We use this data exclusively to link a Jardis user account with the corresponding Polar order, to enable the licensed features, for licence administration and for the fulfilment of contractual and statutory obligations.

Source of the data (Art. 14 GDPR): The data described in this section is not collected directly from you, but transmitted by Polar. Polar collects this data directly from you as part of the order process.

Legal basis: Art. 6 (1) lit. b GDPR (performance of contract) and Art. 6 (1) lit. c GDPR (legal obligations).

14. System Emails

In connection with the use of the Jardis Builder, we send system emails, for example to confirm registration, to reset passwords, to deliver the API key or to inform users of contractually relevant events.

These emails are sent via our own infrastructure at Hetzner in Germany. If we additionally engage a specialised transactional email provider, we will disclose its name, location and any third-country aspects here and conclude a data processing agreement pursuant to Art. 28 GDPR.

Legal basis: Art. 6 (1) lit. b GDPR (performance of contract).

15. Recipients and Processors

In the context of the processing described above, we share personal data with the following recipients:

  • Vercel Inc., Covina, USA - frontend hosting and CDN delivery of the websites (processor pursuant to Art. 28 GDPR; third-country transfer to the USA, see Section 4).
  • Hetzner Online GmbH, Gunzenhausen, Germany - hosting of the backend infrastructure, the n8n automation and the sending of system emails (processor pursuant to Art. 28 GDPR).
  • Umami Software, Inc., USA - web analytics via Umami Cloud (processor; third-country transfer to the USA, see Section 7).
  • Google Ireland Limited, Dublin, Ireland (with data processing by Google LLC, USA) - storage of waitlist entries in Google Sheets (processor pursuant to Art. 28 GDPR; third-country transfer to the USA, see Section 9).
  • Polar Software Inc., San Francisco, USA - payment processing as Merchant of Record (independent controller; third-country transfer to the USA, see Sections 12 and 13).

Personal data is not shared with any other third parties unless we are legally obliged to do so (in particular towards tax or law enforcement authorities; legal basis Art. 6 (1) lit. c GDPR).

No further third-party services: We do not use Google Fonts on our website (the Geist typeface is served locally), nor Cal.com, nor any tracking pixels or comparable marketing tools, nor error monitoring tools such as Sentry.

16. Transfers to Third Countries

Personal data is transferred to third countries outside the European Economic Area in connection with the following services to the USA: Vercel (frontend hosting, Section 4), Umami Cloud (web analytics, Section 7), Google Sheets (waitlist, Section 9) and Polar (payment processing, Sections 12 and 13). The transfers are in each case based on appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular on the EU-US Data Privacy Framework (Art. 45 GDPR, where the respective provider is certified) and the EU standard contractual clauses (Art. 46 (2) lit. c GDPR). All other processing takes place within the European Union, generally in Germany.

17. Storage Period

Personal data of the data subject is deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if provided for by European or national legislation. The following retention periods apply specifically:

  • Server log files: maximum 14 days
  • Account and contract data: for the duration of the contract plus a 30-day transitional period for data export
  • Invoicing and accounting data: 10 years pursuant to Section 147 AO or 6 years pursuant to Section 257 HGB
  • Waitlist entries: until withdrawal of consent or at the latest 30 days after the public launch of the Jardis Builder
  • Email correspondence: until the enquiry has been finalised

18. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL or TLS encryption. You can recognise an encrypted connection by the browser address bar changing from “http://” to “https://” and by the lock icon in your browser bar.

19. No Automated Decision-Making

Automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place at Jardis. Decisions producing legal effects concerning you, or similarly significantly affecting you, are not taken solely on the basis of automated processing.

20. Your Rights as a Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw a given consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, please contact us at: info@headgent.com.

21. Right to Object pursuant to Art. 21 GDPR

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 (1) lit. f GDPR.

The controller will then no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defence of legal claims.

22. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4
40213 Düsseldorf
Germany

23. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to ensure that it always complies with current legal requirements or to reflect changes to our services in the privacy policy, e.g. when introducing new services. The current version will then apply for any further visit.