ekipa US Platform - Privacy Notice

Introduction

This Privacy Notice explains how ekipa GmbH ("ekipa", "we", "us") processes personal data in connection with the ekipa US platform instance ("Platform").

The Platform enables participation in innovation initiatives initiated by third-party organizations ("Project Sponsors").

This Privacy Notice applies solely to the ekipa US Platform and related platform-based services.

Controller

The controller for the processing of personal data within the meaning of applicable data protection laws is:

ekipa GmbH
Muenchener Strasse 41
60329 Frankfurt am Main
Germany

Registered at Frankfurt am Main Local Court under HRB 113272

Contact: hello@ekipa.de
Managing Directors: Justin Gemeri, Nico Heby

Data Protection Officer (DPO) ekipa GmbH has appointed a Data Protection Officer in accordance with Article 37 et seq. of the EU General Data Protection Regulation (GDPR).

The Data Protection Officer can be contacted at:

IITR Datenschutz GmbH
Dr. Sebastian Kraska
Marienplatz 2
80331 Munich
Germany

Categories of Personal Data Processed

We may process the following categories of personal data:

• Account data (name, email address, login credentials)
• Profile information (professional background, organization, description)
• Team-related information
• Project submissions and uploaded materials
• Communication data within the Platform
• Technical data (IP address, access timestamps, browser information)
• Metadata related to submissions and participation
• Information provided in connection with project evaluation processes (e.g., participation status, selection outcomes, scoring metadata, where applicable)

We do not intentionally collect special categories of personal data. Users are requested not to submit sensitive personal data unless explicitly required by the applicable Project Rules.

Purpose of Processing and Legal Basis of Processing

Personal data is processed for the following purposes:

• Creation and administration of user accounts
• Enabling participation in Innovation Projects
• Facilitating collaboration within teams
• Managing submissions and project documentation
• Transmitting submissions and related data to the respective Project Sponsor
• Ensuring platform security and integrity
• Compliance with legal obligations

We use personal data solely to operate the Platform, administer Innovation Projects (including sharing relevant submissions and participation data with the applicable Project Sponsor; see Section 5 "Disclosure to Project Sponsors"), provide project-related communications, ensure security, and comply with legal obligations.

As ekipa GmbH is established in the European Union, we apply the GDPR framework to our processing activities. Processing is based on one or more of the following legal grounds under the GDPR:

• Art. 6(1)(b) GDPR - performance of a contract: Account creation, authentication, participation in Innovation Projects, submission management, and project-related communications necessary for participation.
• Art. 6(1)(f) GDPR - legitimate interests: Platform security, fraud prevention, IT administration, logging, internal documentation, and controlled transmission of submissions to Project Sponsors. Our legitimate interests include ensuring the secure and efficient operation of the Platform and enabling structured collaboration between participants and Project Sponsors.
• Art. 6(1)(c) GDPR - compliance with legal obligations.
• Art. 6(1)(a) GDPR - consent (where applicable): Optional communications about additional Innovation Projects or related opportunities, where required by applicable law. Consent may be withdrawn at any time.

Where specific processing activities are subject to mandatory data protection laws of the United States or other jurisdictions in which users are located, ekipa will comply with such applicable legal requirements.

U.S. Privacy Law Framework: ekipa does not sell personal data as defined under applicable U.S. state privacy laws and does not engage in cross-context behavioral advertising.

Where required under applicable U.S. state privacy laws, users may exercise their rights to access, delete, or correct personal information by contacting us. We do not process personal data for profiling in furtherance of decisions that produce legal or similarly significant effects.

Disclosure to Project Sponsors

Participation in an Innovation Project requires the transmission of relevant personal data and submissions to the respective Project Sponsor.

This may include:

• User identification data
• Team composition
• Submitted materials
• Communication relevant to the project

ekipa determines the purposes and means of processing personal data for operating the Platform and administering the Innovation Project process (including submission handling, technical coordination, and participant management).

The Project Sponsor independently determines the purposes and means of processing once data is transmitted to it. This may include evaluation of submissions, selection decisions, follow-up communications with participants, administration of prizes, and promotion of the Competition in accordance with the applicable Official Rules or project-specific terms.

In particular, where provided in the applicable Official Rules or Competition terms accepted by participants prior to participation, the Project Sponsor may:

• use submitted materials for internal and external review purposes,
• publish or present winning entries,
• announce winners publicly (including name and city/state), and
• use winner information for promotional purposes relating to the Competition.

The respective Project Sponsor acts as an independent controller with respect to the data received and processes such data in accordance with its own privacy policies and the applicable project-specific terms and conditions.

Participation in each Innovation Project requires prior acceptance of the applicable Official Rules and platform terms via the Website. These project-specific terms govern the scope of Sponsor use of submitted materials and related personal data.

ekipa does not determine the Sponsor's independent evaluation criteria, business decisions, or subsequent professional engagement decisions.

Service Providers and Infrastructure

To operate the ekipa US Platform, we engage carefully selected service providers that process personal data on our behalf.

6.1 Platform Backend and Database

Supabase Inc. (United States)

Purpose: Authentication, database management, secure storage of user account data, submissions and metadata.

Data processed: Account data, profile data, team data, submission materials, authentication tokens, metadata.

Hosting region: United States (us-west1).

Supabase provides the authentication session cookie required to maintain user login sessions. This cookie is strictly necessary for platform functionality and does not serve tracking or marketing purposes.

6.2 Hosting and Deployment

Vercel Inc. (United States)

Purpose: Hosting and deployment infrastructure for the Platform.

Data processed: IP addresses, request logs, application traffic, data transmitted in connection with platform access.

6.3 Content Management System

Prismic Networks Inc. (United States)

Purpose: Content management and dynamic content delivery for informational parts of the Platform.

Data processed: IP address, browser information, page access data.

6.4 Email Communication Services

Postmark (Wildbit, LLC, United States)

Purpose: Delivery of transactional and system-related emails required for the operation of the Platform. This includes:

• Account verification
• Password reset
• Platform notifications

Data processed may include:

• Email address
• Name (if provided)
• Technical metadata related to email delivery (e.g., delivery status, timestamps, IP logs associated with email transmission)

We send transactional, project-related communications that are necessary for participation. These communications constitute mandatory service communications. Optional updates about additional Innovation Projects or related opportunities are sent only where permitted by applicable law and may be opted out of at any time via unsubscribe functionality or by contacting us.

6.5 Internal Administrative Tools

For administrative coordination and secure transmission of submissions to Project Sponsors, we may process data using:

Microsoft 365 / SharePoint

Purpose: Internal documentation and controlled project administration.

Access to such systems is strictly limited to authorized personnel and used solely for project-related administrative purposes.

International Data Transfer

Due to the international nature of the Platform:

• Personal data may be processed in the United States (platform hosting).
• Personal data may also be processed within the European Union for administrative purposes.
• Personal data may be transferred to Project Sponsors located in the United States or other jurisdictions.

Where personal data is transferred outside the European Economic Area, we rely on one or more of the following mechanisms as appropriate:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• The EU-U.S. Data Privacy Framework, where applicable
• Other legally recognized transfer mechanisms

Where required, we implement additional safeguards such as encryption in transit, access restrictions, and data minimization to ensure an appropriate level of protection.

Data Retention

Personal data is retained only for as long as necessary to:

• Administer user accounts
• Conduct Innovation Projects
• Fulfill contractual and legal obligations
• Resolve disputes

Users may delete their accounts at any time. Upon account deletion, personal data is deleted or anonymized within a reasonable period unless retention is required for legal, contractual, or compliance purposes. Project-related documentation may be retained for a limited period following project completion to document contractual performance and handle potential disputes.

Project submissions may be retained for documentation, compliance, or contractual purposes in accordance with applicable Project Rules.

Data Security

We implement appropriate technical and organizational measures to protect personal data against:

• Unauthorized access
• Accidental or unlawful destruction
• Loss, alteration, or disclosure

Security measures include access controls, encryption, secure hosting infrastructure, and internal access restrictions.

Cookies and Technical Log Data

The Platform uses only strictly necessary technical cookies required for authentication and secure operation (e.g., Supabase session cookies).

We do not use analytics, advertising, or tracking cookies on the ekipa US Platform.

Technical log data (including IP address and request metadata) is processed solely for security, troubleshooting, and operational integrity purposes.

Data Subject Rights

Subject to applicable law, users may have the right to:

• Request access to their personal data
• Request correction of inaccurate data
• Request deletion of personal data
• Request restriction of processing
• Object to processing where applicable
• Request data portability

Where processing is based on legitimate interests, users have the right to object in accordance with applicable law. Requests may be directed to: hello@ekipa.de

Users residing in jurisdictions that grant additional privacy rights (e.g., certain U.S. states) may exercise such rights in accordance with applicable law by contacting us.

Legal Disclosure Obligations

We may disclose personal data if required to do so by law or in response to valid legal requests by public authorities.

No Automated Decision-Making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Updated versions will be published on the Platform.