Privacy Policy – Partner Platform

Effective: May 2026

1. Scope and Controller

1.1 Scope

This Privacy Policy applies to the ALMARA Partner Platform at partner.almara.life (the “Partner Platform”) and informs you about the processing of personal data in connection with the initiation, establishment and execution of a partnership with ALMARA.

The processing of personal data of end customers on the B2C platform almara.life is subject to a separate B2C Privacy Policy.

1.2 Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Ubu Beteiligungs GmbH
Zehlendorfer Damm 75A
14532 Kleinmachnow
Germany

Email: office@ubu-beteiligung.de

Further information on the controller can be found in our Legal Notice.

1.3 Contact for data protection enquiries

For questions regarding the collection, processing or use of your personal data, for information requests, rectification, restriction or erasure of data, as well as for the withdrawal of any consent granted, please contact:

Email: dataprotection@ubu-beteiligung.de

A Data Protection Officer has not been appointed, as the legal requirements for such appointment are not met.

2. General information on data processing

2.1 Legal bases

We process personal data on the following legal bases:

• Article 6(1)(a) GDPR where consent has been granted;
• Article 6(1)(b) GDPR for the initiation and performance of the partnership;
• Article 6(1)(c) GDPR to fulfil legal obligations (in particular DAC7, anti-money laundering law, tax law);
• Article 6(1)(f) GDPR where we have legitimate interests that are not overridden by your interests or fundamental rights and freedoms.

2.2 Categories of data

In the context of the Partner Platform, we process the following categories of personal data:

• Company data: legal company name, trading name, legal form, address, country, VAT number, commercial register number, website, business currency;
• Contact data of representatives: first and last name, email address, telephone number, role;
• Location and operational data: location address, coordinates, opening hours, offered experiences, equipment;
• Financial data: bank account details (or Stripe Connect account ID), tax ID, commission settlements;
• Compliance documents: business license, liability insurance certificate, additional regulatory authorisations where applicable;
• Usage data of the Partner Platform: login times, actions performed in the backend, IP address (truncated), browser information;
• Communication data: content and timing of email, chat or telephone contact.

2.3 Storage duration

Personal data is deleted or restricted as soon as the purpose of storage no longer applies. Longer storage may be required to fulfil commercial and tax retention obligations (up to ten years under Sections 147 AO, 257 HGB) or to fulfil DAC7 reporting obligations.

3. Hosting

The Partner Platform is hosted on servers of STRATO AG, Pascalstraße 10, 10587 Berlin, Germany. The servers are located in Germany. When you access the Partner Platform, STRATO collects data automatically transmitted by your browser (server log files), in particular IP address, date and time of access, transferred data volume, page accessed and browser information.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the technically error-free and secure presentation of the Partner Platform. We have concluded a data processing agreement with STRATO pursuant to Article 28 GDPR.

4. Cookies and consent management

The Partner Platform uses cookies and similar technologies only to the extent necessary for operation and use (in particular session cookies for login, security cookies, language settings). These are set without consent on the basis of Section 25(2) No. 2 TDDDG.

To the extent that further cookies or third-party services are used (e.g. for reach measurement of publicly accessible acquisition pages), these are set exclusively with your express consent (Section 25(1) TDDDG in conjunction with Article 6(1)(a) GDPR) via our consent manager Borlabs Cookie, a service provided by Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany. Details can be found in our Cookie Policy for the Partner Platform.

5. LinkedIn Insight Tag

5.1 Use and purpose

On the publicly accessible areas of the Partner Platform (in particular acquisition and information pages), with your express consent, we use the LinkedIn Insight Tag of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (the “LinkedIn”). Through the Insight Tag, data is transmitted for reach measurement, conversion tracking and the targeting of advertising campaigns on LinkedIn to its affiliate LinkedIn Corporation, USA.

5.2 Data processed

When you access a page on which the Insight Tag is embedded, the following data is in particular processed: truncated IP address, timestamp of the page view, browser and device information, referrer URL, and – if you are logged in to LinkedIn or a LinkedIn cookie is set on your device – your LinkedIn member ID.

5.3 Joint controllership (Article 26 GDPR)

When using the LinkedIn Insight Tag, ALMARA and LinkedIn act as joint controllers within the meaning of Article 26 GDPR for the collection and transmission of your personal data to LinkedIn. The essential cornerstones of our agreement with LinkedIn are:

• ALMARA is responsible for obtaining your consent and for providing this information.
• LinkedIn is responsible for the further processing of the data in its own systems, in particular for providing reporting and targeting functions and for upholding data subject rights vis-à-vis LinkedIn.
• You can exercise your rights against either controller; the responsible party will forward your request if necessary.

LinkedIn’s joint controller agreement is available at legal.linkedin.com/pages-joint-controller-addendum.

5.4 Third-country data transfer

LinkedIn transfers data to LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. LinkedIn Corporation is certified under the EU-US Data Privacy Framework; data transfer to the USA takes place on the basis of the adequacy decision of the European Commission of 10 July 2023.

5.5 Legal basis and withdrawal

The legal basis for setting the tag is Section 25(1) TDDDG; the legal basis for the subsequent processing is Article 6(1)(a) GDPR (consent). You can withdraw your consent at any time via our consent manager Borlabs Cookie with effect for the future.

Further information on LinkedIn’s data processing can be found in the LinkedIn Privacy Policy.

6. Partner Onboarding

6.1 Registration as a partner

When you register as a partner, we collect the company and contact data necessary to verify your suitability and to initiate the partner contract (see section 2.2). Input takes place via a form on the Partner Platform.

The legal basis is Article 6(1)(b) GDPR (pre-contractual measures). If the data is not required to process your request, it is deleted after completion of the process; data relevant to contract initiation is retained for the duration of a possible later contract initiation.

5.2 CRM integration

The data collected during onboarding may be transferred to our CRM system for further processing. We use or evaluate the following providers (the live status is maintained in the current version of this Privacy Policy):

• Brevo (Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France) – EU provider, no third-country transfer;
• Pipedrive (Pipedrive OÜ, Paldiski mnt 80, 10617 Tallinn, Estonia) – EU provider;
• Odoo (Odoo S.A., Chaussée de Namur 40, 1367 Ramillies, Belgium) – EU provider.

A data processing agreement pursuant to Article 28 GDPR is concluded with the respective provider. The legal basis is Article 6(1)(b) GDPR (contract initiation) and Article 6(1)(f) GDPR (legitimate interest in efficient sales pipeline management).

7. Profile verification and KYC

7.1 Uploading documents

As part of profile verification, you upload documents to evidence your business activity, in particular:

• business licence;
• proof of sufficient liability insurance (with expiry date);
• further regulatory authorisations, licences or certificates as required for the respective activity.

These documents are stored exclusively for the purpose of profile verification and for the fulfilment of our legal due diligence obligations. The data is stored for the duration of the partnership as well as for statutory retention periods.

7.2 Identification and anti-money laundering obligations

Insofar as we are obliged under the German Anti-Money Laundering Act (GwG) or comparable foreign provisions to identify the contractual partner or its beneficial owners, we collect and process the necessary data (in particular name, date of birth, address, nationality, identity document data of legal representatives and beneficial owners as required).

The legal basis is Article 6(1)(c) GDPR. The data is deleted after the statutory retention period (generally five years after termination of the business relationship pursuant to Section 8(4) GwG).

8. Partner Account and Login

8.1 Account creation

After successful profile verification, a partner account is created. To log in to the partner account, you use a self-selected email address and password. When using the partner account, technical data is processed (login times, IP address, browser, actions performed).

The legal basis is Article 6(1)(b) GDPR (contract performance) and Article 6(1)(f) GDPR (legitimate interest in security and functionality of the platform).

8.2 Security measures

We take appropriate technical and organisational measures to protect partner accounts, in particular password hashing, encrypted transmission (TLS), login logging and, where applicable, two-factor authentication. You are obliged to treat your access data confidentially and not to share it with third parties.

9. Booking and end-customer data

9.1 Joint controllership

In the context of brokering bookings, we transfer end-customer data (in particular name, booking code, date, number of participants, contact data where applicable) to you as a partner. This processing takes place under joint controllership pursuant to Article 26 GDPR.

The essential content of the joint controllership agreement concluded between ALMARA and the partner is set out in a separate annex to the partner contract; it can be made available on request. The essential cornerstones are:

• ALMARA is responsible for collecting end-customer data in the booking process, transmitting it to the partner and providing the platform.
• The partner is responsible for the further processing of end-customer data to provide the experience at the location and for fulfilling statutory retention obligations.
• Both parties are jointly responsible for providing data subjects with the information required under Articles 13/14 GDPR.
• Data subject requests may be directed to either party; the respective competent party will respond promptly and inform the other.

9.2 Partner’s obligations

The partner undertakes to process the transferred end-customer data exclusively for the provision of the booked experience and to fulfil legal obligations. Use beyond this (in particular for own marketing purposes) is only permitted with the express consent of the end customer.

10. Payment processing via Stripe Connect

10.1 Platform architecture

For payment processing between end customers, ALMARA and partners, we use Stripe Connect Express. The provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. In this arrangement:

• ALMARA processes booking and commission data;
• the partner sets up a connected Stripe account (“Connected Account”) through which payouts are processed;
• Stripe transmits relevant tax and identification-related data to competent authorities in accordance with Stripe’s own legal obligations (PSD2, KYC, AML).

10.2 Data flows and roles

In relation to the platform function, Stripe is a processor for ALMARA. In relation to the account relationship with the partner (identification, KYC, payout), Stripe is an independent controller.

Stripe Payments Europe, Ltd. is based in the EU; data transfer to third countries may occur as part of intra-group processing (in particular to Stripe Inc., USA). Stripe Inc. is certified under the EU-US Data Privacy Framework.

The legal basis is Article 6(1)(b) GDPR (contract performance) and Article 6(1)(c) GDPR (legal obligations).

Further information: https://stripe.com/privacy; information on Stripe Connect: https://stripe.com/connect/legal

11. DAC7 reporting obligations

11.1 Background

As a reporting platform operator within the meaning of EU Directive 2021/514 (DAC7), implemented in Germany by the Platform Tax Transparency Act (PStTG), we are obliged to transmit certain information about the providers active on our platform and the remuneration they receive annually to the Federal Central Tax Office (BZSt).

11.2 Scope of reported data

The reported data includes in particular:

• identification data of the partner (name, address, tax identification number, VAT number, commercial register number);
• for natural persons: date of birth;
• address of the locations where services are provided;
• bank account or Stripe account identifier to which remuneration is paid out;
• annual total remuneration and number of services provided.

11.3 Legal basis and consequences of refusal

The legal basis is Article 6(1)(c) GDPR in conjunction with the PStTG. If the data required for reporting is not made available to us, we are entitled, after two reminders but no earlier than 60 days after the first request, to close the partner account or to withhold payouts until the data is provided.

12. Newsletter and partner communication

12.1 Partner newsletter

We send a partner newsletter at regular intervals with information on platform developments, new functions, training offers and relevant market updates. Registration takes place via the double opt-in procedure.

For dispatch, we use Mailchimp, a service provided by Intuit Inc., 2700 Coast Avenue, Mountain View, California 94043, USA. Mailchimp is certified under the EU-US Data Privacy Framework. We have concluded a data processing agreement with Mailchimp pursuant to Article 28 GDPR.

The legal basis is Article 6(1)(a) GDPR (consent). You can unsubscribe from the newsletter at any time.

Further information: https://mailchimp.com/legal/privacy/

12.2 Transactional communication

Independently of the newsletter, we send you transactional emails necessary for the execution of the partnership (in particular booking notifications, settlements, contract changes, security notices). It is not possible to opt out of this communication as long as the partnership exists. The legal basis is Article 6(1)(b) GDPR.

13. Demo appointment booking

An external appointment booking tool may be used to arrange demo appointments. When used, the data you enter (name, email, desired appointment) is transmitted to the respective provider:

• Cal.com (Cal.com, Inc.; with EU hosting option) or
• Calendly (Calendly LLC, 271 17th Street NW, Atlanta, Georgia 30363, USA) – DPF certified.

The specific provider used is indicated on the demo booking page. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures) and Article 6(1)(a) GDPR (consent, where required).

14. Webinar and training tools

For webinars, onboarding training and product trainings, we may use external webinar platforms, in particular WebinarGeek (WebinarGeek B.V., Netherlands) or WebinarKit (WebinarKit LLC, USA). When registering for webinars, your registration data (name, email) is transmitted to the respective provider.

The legal basis is Article 6(1)(b) GDPR (training as part of partnership execution) and Article 6(1)(a) GDPR. For US providers, third-country transfer takes place on the basis of the EU-US Data Privacy Framework or EU Standard Contractual Clauses.

15. Chat and support tools

For communication with partner prospects and existing partners, we use, analogous to the B2C platform, the services Tidio (Tidio LLC, USA, DPF certified) and/or Superchat (Superchat GmbH, Berlin, Germany). The function and data processing essentially correspond to that described in the B2C Privacy Policy.

The legal basis is Article 6(1)(a) GDPR (consent) and Article 6(1)(b) GDPR (contract initiation and performance).

16. Third-country data transfers

To the extent that personal data is transferred in the context of the above processing to third countries outside the European Economic Area (in particular to the USA), this takes place on one of the following legal bases:

• adequacy decision of the European Commission, in particular the EU-US Data Privacy Framework (decision of 10 July 2023);
• EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR;
• express consent pursuant to Article 49(1)(a) GDPR.

Upon request, we will provide you with further information on the safeguards taken.

17. Your rights as a data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

• Right of access (Article 15 GDPR);
• Right to rectification (Article 16 GDPR);
• Right to erasure (Article 17 GDPR), insofar as statutory retention periods do not preclude it;
• Right to restriction of processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR);
• Right to object (Article 21 GDPR);
• Right to withdraw consents granted (Article 7(3) GDPR).

18. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
(State Commissioner for Data Protection and the Right of Access to Files, Brandenburg)
Stahnsdorfer Damm 77
14532 Kleinmachnow
Germany
Phone: +49 33203 356-0
Email: poststelle@lda.brandenburg.de
Web: www.lda.brandenburg.de

19. Currency of this Privacy Policy

This Privacy Policy is currently valid and has the status of May 2026. Due to the further development of the Partner Platform and our services, or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. The current Privacy Policy can be accessed and printed at any time on the Partner Platform at /en/partner-privacy-policy.