Transparent, explained.
How we process personal data on studio.pemediacorp.com. Structured along Articles 13 and 14 GDPR. The German version is the legally binding one.
Stand: 16 May 2026
1. Controller
Plößl & Ehrl Vertriebs UG (limited liability)Boschstr. 4, 82178 Puchheim, Germany
Email: kontakt@pemediacorp.com
Authorised representatives: Luis Maximilian Plößl, Lorenz Ehrl
2. Data protection officer
We are not obliged to appoint a data protection officer (§ 38 BDSG) because fewer than twenty persons are permanently engaged in the automated processing of personal data at our company. For data protection questions, please contact kontakt@pemediacorp.com.
3. Your rights
You have the right at any time to:
- Access the data stored about you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Withdraw consents granted (Art. 7 (3) GDPR)
- Lodge a complaint with a supervisory authority (Art. 77 GDPR)
Competent supervisory authority for our registered office: Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.
4. Specific processing activities
4.1 Account creation and management
Data: email address, password (Argon2id-hashed), registration timestamp.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual steps and contract performance).
Recipients: Processor Hetzner Online GmbH, Gunzenhausen (EU). A data processing agreement is in place.
Retention: Until account termination plus 30 days recovery window. Erased thereafter unless statutory retention obligations (e.g. § 147 of the German Fiscal Code) require otherwise.
4.2 Email verification (six-digit code)
Data: email address, short-lived verification code (10 min TTL), send status.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual steps) and Art. 6 (1) (f) GDPR (legitimate interest: confirmation of email ownership).
Recipients: Our own mail server on Hetzner infrastructure (EU). Codes do not leave our systems.
Retention: Codes are deleted immediately after verification or expiry. Mail send logs 30 days.
4.3 Session management via HttpOnly cookie
Data: Opaque session token in the cookie psp_session. Not identifying personal data without database access.
Legal basis: Art. 6 (1) (b) GDPR and § 25 (2) (2) TDDDG (strictly necessary).
Retention: 30 days rolling, deleted immediately on logout.
4.4 License management for Pemediacorp software
Data: license key, device ID (hash of hardware fingerprint), last activation IP, activation timestamp.
Legal basis: Art. 6 (1) (b) GDPR (contract performance).
Recipients: Our own license server (lizenz.pemediacorp.com) on Hetzner infrastructure in the EU.
Retention: During the contract term. After termination, 30 days recovery window, then anonymised (the hash remains to prevent double activations).
4.5 Payment via Stripe
Once we activate checkout, we redirect you for the actual payment to a checkout page hosted by Stripe.
Data: name, address, email, payment method data (collected by Stripe itself; we only see a masked representation), invoice amount, plus confirmations regarding terms and withdrawal notice with timestamp (as metadata of the payment session as evidence of pre-contractual conduct).
Legal basis: Art. 6 (1) (b) GDPR (contract performance); for evidence preservation additionally Art. 6 (1) (f) GDPR together with Art. 5 (2) GDPR (accountability).
Recipients: for EU customers Stripe Payments Europe Ltd., Dublin, Ireland. For internal corporate data flows Stripe Inc., San Francisco, USA (DPF-certified).
Role: Stripe is an independent controller for payment processing within its own responsibility under Art. 4 (7) GDPR (fraud prevention, anti-money-laundering compliance, own customer records). For the processing attributable to us, a data processing agreement under Art. 28 GDPR is in place (Stripe DPA).
Third-country transfer: Yes. Safeguarded via DPF and SCCs.
Retention: Invoice data 10 years under § 147 of the German Fiscal Code.
4.6 Account profile data (name, address, company, VAT ID, phone)
If you have an account with us, you can store your billing address and personal data under /en/account/profile and /en/account/billing.
Data: first name, last name, optional company, optional VAT ID, street and house number, postal code, city, country, optional phone, Stripe customer ID for linking.
Legal basis: Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (c) GDPR in conjunction with §§ 14, 14a German VAT Act and § 147 German Fiscal Code (tax retention obligations for invoicing).
Recipients: Hetzner Online GmbH (EU, processor) for data storage. Additionally, name and address are transmitted to Stripe Payments Europe Ltd. (Ireland) on change so that your invoices can be issued correctly.
Retention: During the contract term, then 10 years under § 147 of the German Fiscal Code for invoice-relevant data. Non-invoice-relevant profile data is deleted 30 days after account closure.
4.7 Reach measurement with Umami (analytics.pemediacorp.com)
With your consent (cookie banner, "Statistics" category), we operate our own Umami server for reach measurement. Umami is an open-source analytics tool that does not use third-party cookies and anonymises IP addresses.
Data: visited page, referrer, screen resolution, browser language, anonymised visitor hash (1-day TTL).
Legal basis: Art. 6 (1) (a) GDPR (consent) and § 25 (1) TDDDG.
Recipients: Our own server (EU). No third-party transfer.
Retention: 12 months aggregated; IP hash 1 day.
4.8 Consent log
Data: consent decision, timestamp, anonymised hash.
Legal basis: Art. 6 (1) (c) GDPR (accountability) and § 25 TDDDG.
Retention: 3 years, then anonymised.
4.9 Server log files
Data: shortened IP address (last octet truncated for IPv4, last 80 bits truncated for IPv6), date and time, requested URL, referrer, user agent.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest: operational security and abuse prevention).
Retention: 14 days rolling.
4.10 Marketing pixels (only after explicit consent)
With your consent to the "Marketing" category, we load third-party tracking pixels to measure the success of our ads and build audience lists for remarketing. Without your consent, neither scripts nor data are transmitted to these providers. You can change or withdraw your choice anytime under /en/account/cookies or via the footer link "Cookies".
Common to all four pixels: Legal basis is Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (consent). Conversion value (tier price in EUR) is transmitted on successful purchase. Third-country transfer to the USA, safeguarded by the EU-US Data Privacy Framework (all four providers are DPF-certified) and Standard Contractual Clauses under Art. 46 GDPR.
4.10.1 Google Ads (gtag.js)
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (EU data flows); Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (corporate data).
Data: Pseudonymous cookie ID, IP address (Google anonymises the last octet), click source URL, browser/device data, conversion events (purchase incl. value in EUR and tier).
Processing: Data processing agreement under Art. 28 GDPR via Google's "Data Processing Terms for Advertising". Retention 30 days to 18 months depending on campaign configuration.
4.10.2 Meta Pixel (Facebook + Instagram)
Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; Meta Platforms Inc., USA.
Data: Pseudonymous browser ID, IP address, page interactions (PageView, Purchase with value in EUR and tier label). Meta links these to your Facebook or Instagram account if you are logged in there.
Role: Joint controllers (Art. 26 GDPR) for the collection via the pixel. The agreement is the Meta Controller Addendum. Retention 180 days rolling (Meta default).
4.10.3 LinkedIn Insight Tag
Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; LinkedIn Corporation, USA (Microsoft subsidiary).
Data: Pseudonymous cookie ID, IP address, page URL, timestamp, browser/device data, conversion events. For logged-in LinkedIn users, linking to the LinkedIn profile is possible.
Retention: 90 days for pixel data, 180 days for Matched Audience lists (LinkedIn default).
4.10.4 Reddit Pixel
Provider: Reddit, Inc., 548 Market St #16093, San Francisco, CA 94104, USA. Reddit has no separate EU establishment; data processing takes place in the USA.
Data: Pseudonymous browser ID, IP address, page URL, timestamp, browser/device data, PageVisit and Purchase events. For logged-in Reddit users, linking to the Reddit profile is possible.
Retention: 180 days for pixel data (Reddit default).
5. Automated decision-making
We do not carry out any solely automated decisions within the meaning of Art. 22 GDPR. Stripe may perform its own fraud-prevention checks; this falls under Stripe's own controller responsibility.
6. Changes to this policy
We may amend this privacy policy from time to time to reflect changes in our processing activities or legal requirements. The current version is always available at this page; significant changes will be communicated separately to logged-in users.