Deloitte Logo

ekipa US Platform - Privacy Notice

Introduction

This Privacy Notice explains how ekipa GmbH ("ekipa", "we", "us") processes personal data in connection with the ekipa US platform instance ("Platform").

The Platform enables participation in innovation initiatives initiated by third-party organizations ("Project Sponsors").

This Privacy Notice applies solely to the ekipa US Platform and related platform-based services.

Controller

The controller for the processing of personal data within the meaning of applicable data protection laws is:

ekipa GmbH
Muenchener Strasse 41
60329 Frankfurt am Main
Germany

Registered at Frankfurt am Main Local Court under HRB 113272

Contact: hello@ekipa.de
Managing Directors: Justin Gemeri, Nico Heby

Data Protection Officer (DPO) ekipa GmbH has appointed a Data Protection Officer in accordance with Article 37 et seq. of the EU General Data Protection Regulation (GDPR).

The Data Protection Officer can be contacted at:

IITR Datenschutz GmbH
Dr. Sebastian Kraska
Marienplatz 2
80331 Munich
Germany

Categories of Personal Data Processed

We may process the following categories of personal data:

We do not intentionally collect special categories of personal data. Users are requested not to submit sensitive personal data unless explicitly required by the applicable Project Rules.

Purpose of Processing and Legal Basis of Processing

Personal data is processed for the following purposes:

We use personal data solely to operate the Platform, administer Innovation Projects (including sharing relevant submissions and participation data with the applicable Project Sponsor; see Section 5 "Disclosure to Project Sponsors"), provide project-related communications, ensure security, and comply with legal obligations.

As ekipa GmbH is established in the European Union, we apply the GDPR framework to our processing activities. Processing is based on one or more of the following legal grounds under the GDPR:

Where specific processing activities are subject to mandatory data protection laws of the United States or other jurisdictions in which users are located, ekipa will comply with such applicable legal requirements.

U.S. Privacy Law Framework: ekipa does not sell personal data as defined under applicable U.S. state privacy laws and does not engage in cross-context behavioral advertising.

Where required under applicable U.S. state privacy laws, users may exercise their rights to access, delete, or correct personal information by contacting us. We do not process personal data for profiling in furtherance of decisions that produce legal or similarly significant effects.

Disclosure to Project Sponsors

Participation in an Innovation Project requires the transmission of relevant personal data and submissions to the respective Project Sponsor.

This may include:

ekipa determines the purposes and means of processing personal data for operating the Platform and administering the Innovation Project process (including submission handling, technical coordination, and participant management).

The Project Sponsor independently determines the purposes and means of processing once data is transmitted to it. This may include evaluation of submissions, selection decisions, follow-up communications with participants, administration of prizes, and promotion of the Competition in accordance with the applicable Official Rules or project-specific terms.

In particular, where provided in the applicable Official Rules or Competition terms accepted by participants prior to participation, the Project Sponsor may:

The respective Project Sponsor acts as an independent controller with respect to the data received and processes such data in accordance with its own privacy policies and the applicable project-specific terms and conditions.

Participation in each Innovation Project requires prior acceptance of the applicable Official Rules and platform terms via the Website. These project-specific terms govern the scope of Sponsor use of submitted materials and related personal data.

ekipa does not determine the Sponsor's independent evaluation criteria, business decisions, or subsequent professional engagement decisions.

Service Providers and Infrastructure

To operate the ekipa US Platform, we engage carefully selected service providers that process personal data on our behalf.

6.1 Platform Backend and Database

Supabase Inc. (United States)

Purpose: Authentication, database management, secure storage of user account data, submissions and metadata.

Data processed: Account data, profile data, team data, submission materials, authentication tokens, metadata.

Hosting region: United States (us-west1).

Supabase provides the authentication session cookie required to maintain user login sessions. This cookie is strictly necessary for platform functionality and does not serve tracking or marketing purposes.

6.2 Hosting and Deployment

Vercel Inc. (United States)

Purpose: Hosting and deployment infrastructure for the Platform.

Data processed: IP addresses, request logs, application traffic, data transmitted in connection with platform access.

6.3 Content Management System

Prismic Networks Inc. (United States)

Purpose: Content management and dynamic content delivery for informational parts of the Platform.

Data processed: IP address, browser information, page access data.

6.4 Email Communication Services

Postmark (Wildbit, LLC, United States)

Purpose: Delivery of transactional and system-related emails required for the operation of the Platform. This includes:

Data processed may include:

We send transactional, project-related communications that are necessary for participation. These communications constitute mandatory service communications. Optional updates about additional Innovation Projects or related opportunities are sent only where permitted by applicable law and may be opted out of at any time via unsubscribe functionality or by contacting us.

6.5 Internal Administrative Tools

For administrative coordination and secure transmission of submissions to Project Sponsors, we may process data using:

Microsoft 365 / SharePoint

Purpose: Internal documentation and controlled project administration.

Access to such systems is strictly limited to authorized personnel and used solely for project-related administrative purposes.

International Data Transfer

Due to the international nature of the Platform:

Where personal data is transferred outside the European Economic Area, we rely on one or more of the following mechanisms as appropriate:

Where required, we implement additional safeguards such as encryption in transit, access restrictions, and data minimization to ensure an appropriate level of protection.

Data Retention

Personal data is retained only for as long as necessary to:

Users may delete their accounts at any time. Upon account deletion, personal data is deleted or anonymized within a reasonable period unless retention is required for legal, contractual, or compliance purposes. Project-related documentation may be retained for a limited period following project completion to document contractual performance and handle potential disputes.

Project submissions may be retained for documentation, compliance, or contractual purposes in accordance with applicable Project Rules.

Data Security

We implement appropriate technical and organizational measures to protect personal data against:

Security measures include access controls, encryption, secure hosting infrastructure, and internal access restrictions.

Cookies and Technical Log Data

The Platform uses only strictly necessary technical cookies required for authentication and secure operation (e.g., Supabase session cookies).

We do not use analytics, advertising, or tracking cookies on the ekipa US Platform.

Technical log data (including IP address and request metadata) is processed solely for security, troubleshooting, and operational integrity purposes.

Data Subject Rights

Subject to applicable law, users may have the right to:

Where processing is based on legitimate interests, users have the right to object in accordance with applicable law. Requests may be directed to: hello@ekipa.de

Users residing in jurisdictions that grant additional privacy rights (e.g., certain U.S. states) may exercise such rights in accordance with applicable law by contacting us.

Legal Disclosure Obligations

We may disclose personal data if required to do so by law or in response to valid legal requests by public authorities.

No Automated Decision-Making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Updated versions will be published on the Platform.

Ekipa