Privacy Policy

Protection of your personal data

1. Data controller

The data controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

FinEase Financial Service GmbH
Karlstraße 13
35641 Schöffengrund
Germany
Email: info@finease-fs.de

2. Data protection officer

We have appointed a data protection officer. You can reach him at:

Dirk Baumann
Siedlungsweg 2
13591 Berlin
Phone: +49 173 9494 263
Email: d.baumann@finease-fs.de

3. Definitions

  • Personal data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on personal data (e.g. collection, storage, transmission, deletion).

4. Overview: areas of the platform

We distinguish, among others, the following areas and user groups:

  • Website visitors (e.g. blog, resources)
  • Leads / prospects (e.g. study quiz, readiness check, landing pages without an account)
  • Registered users (students with a customer account)
  • Guest applications (direct application without a full customer account)

5. Data collection when visiting the website (server logs)

5.1 What data is processed?

When you use the website for informational purposes only, we process the data that your browser automatically transmits to our server (server log files), in particular:

  • pages/URLs accessed
  • date and time of access
  • amount of data transferred
  • referrer URL
  • browser type/version
  • operating system
  • IP address

5.2 Purpose

  • provision of the website
  • security, stability and error analysis
  • detection of abuse and attacks

5.3 Legal basis

Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation).

5.4 Retention period

Server log data is generally stored for 14 days and then deleted or anonymised. In the case of security-relevant events (e.g. attack detection, ongoing investigation), longer retention may be required.

6. Hosting, email infrastructure, database and file storage

6.1 Domain and email hosting (IONOS)

For domain/DNS and email services we use IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.

Legal basis: Art. 6(1)(f) GDPR (operation/security) and – where emails relate to contract/service communication – Art. 6(1)(b) GDPR.

6.2 Operation of the web application and database (Hetzner)

We operate the web application and the database (e.g. PostgreSQL) on infrastructure provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.

Purposes: platform operation, account and application processing, technical administration.

Legal basis:

  • Art. 6(1)(b) GDPR (user relationship / pre-contractual steps, application submission)
  • Art. 6(1)(f) GDPR (security, abuse prevention, system operation)

6.3 File storage (Hetzner Object Storage)

For storing uploaded files we use Hetzner Object Storage (S3-compatible) in Germany.

Stored data includes, for example:

  • documents you upload as part of an application (e.g. ID, admission letter, supporting documents)
  • documents generated in the process (e.g. PDF proofs)

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures / contract).

6.4 Data processing agreements

Where required, we conclude data processing agreements pursuant to Art. 28 GDPR with the aforementioned service providers.

7. Cookies, localStorage, sessionStorage and consent tool

7.1 General

We use cookies and similar technologies (e.g. localStorage/sessionStorage) to operate the website technically and – only with consent – to measure reach and marketing.

You can change or withdraw your consents at any time. Use the "Cookie settings" function (e.g. via the link in the footer) for this. There you can agree to optional technologies (e.g. statistics/marketing) or disable them.

7.2 Categories and services

Our consent tool allows control in three categories:

  • Necessary (technically required, e.g. login/security/consent storage) – no consent required
  • Statistics (e.g. Google Analytics) – only with consent
  • Marketing (e.g. Meta Pixel, Google Ads) – only with consent

Within the Statistics and Marketing categories, individual services can additionally be enabled or disabled per service.

7.3 Legal bases

  • Necessary technologies: Art. 6(1)(b) GDPR (use of the platform) and/or Art. 6(1)(f) GDPR (security/technology); Section 25(2) No. 2 TDDDG
  • Statistics/marketing: Art. 6(1)(a) GDPR (consent) in conjunction with Section 25(1) TDDDG

7.4 Consent logging (Art. 7 GDPR)

Every consent and every withdrawal is logged server-side. The consent log stores:

  • timestamp of consent/withdrawal (UTC)
  • pseudonymous identifier (session ID or hashed IP)
  • status per category and service (active/inactive)
  • version of the privacy policy/consent banner at the time of consent

Log data is retained for 3 years (see section 15.3) and is used solely to demonstrate consent.

Changing or withdrawing consents:

  • Via "Cookie settings" (e.g. via the link in the footer) you can change or withdraw your selection at any time.
  • Registered users additionally in the "Privacy & consents" section in the dashboard
  • Withdrawal takes effect from the time of the declaration; it does not affect the lawfulness of processing carried out until then.

7.5 Attribution (first-party)

When you use our website or register, origin and attribution parameters may be processed depending on the situation, e.g.:

  • ref / parref (referral/partner attribution)
  • entry (funnel entry)

UTM parameters and technical email origin parameters such as gfs_origin and gfs_mail_target are processed in Statistics or Marketing only with consent. They are:

  • cached in the browser until the end of the session (sessionStorage, key: gfs_attribution_session) and
  • additionally stored server-side in the lead or user record (persistently in the database).

Server-side storage is based on the same consent (Art. 6(1)(a) GDPR) and is deleted together with the lead/account according to the retention periods in section 15.

These parameters are not required to use the platform.

7.6 Conversion deduplication (sessionStorage)

To avoid sending the same conversion or engagement event to measurement tools more than once, we store short-lived entries in sessionStorage when you consent to Statistics and/or Marketing:

  • gfs_conv:<event>:<id> – one-time firing of conversions (e.g. quiz, funnel lead, registration, product application)
  • gfs_eng:<event> – one-time firing of engagement events (e.g. funnel steps), only with Statistics consent

Entries last until the browser session ends. They do not contain plain-text email addresses; only technical event and lead/application IDs for deduplication.

8. Study quiz, readiness check and other lead funnels (without customer account)

8.1 What data do we process?

Depending on the funnel, in particular:

  • contact data (e.g. email, name where applicable)
  • answers/score from the study quiz or readiness check
  • basic context (e.g. language, product interest, source/funnel)

8.2 Purposes

  • provision of the requested result (e.g. sending a report/PDF by email)
  • preparation for and follow-up of a possible registration and use of the platform

Note: In the study quiz and readiness check, no data is transferred to product partners. Partner-specific consents are only obtained in the respective application forms.

8.3 Legal bases (target state)

  • Result/service email: Art. 6(1)(b) GDPR (pre-contractual measures on request)
  • Multi-part nurture series from Germany for Students: Art. 6(1)(a) GDPR (consent)

If we send you more than the specifically requested result email (e.g. a tips series), this only happens if you have previously given separate consent.

9. Registration and customer account

9.1 Data

When you register, we typically process:

  • email address
  • password (as a hash, not in plain text)
  • language/locale
  • technical tokens/session data

9.2 Purposes

  • account creation, login and account management
  • security and abuse prevention

9.3 Legal basis

Art. 6(1)(b) GDPR.

Note: Upon registration, no data is transferred to product partners. Corresponding consents are only obtained in the respective application forms.

10. Product applications (mediation) and data transfer to product partners

10.1 Product partners (recipients)

When you apply for a specific product via our platform or use a mediation service, we transfer the data required for this to the respective product partner, in particular:

  • DAK-Gesundheit (health insurance)
  • MAWISTA (incoming insurance)
  • VietinBank (blocked account)

The product partners subsequently process the data under their own responsibility.

10.2 Purpose

  • processing your application
  • contract preparation and, where applicable, conclusion of a contract with the product partner

10.3 Legal basis

Art. 6(1)(b) GDPR (pre-contractual measures / contract).

11. Internal processing area

Some processes are supported in an internal processing area. This area is not intended for external third parties, but only for authorised internal users of Germany for Students / FinEase.

Purpose: internal processing and process management (e.g. application processing, support, quality assurance).
Legal basis: Art. 6(1)(b) GDPR (user relationship/pre-contractual steps) and Art. 6(1)(f) GDPR (secure operation, abuse prevention).
Access control: role-based, only for authorised internal users.

12. Email communication and delivery service

12.1 Types of emails

We distinguish:

  • Service/process emails (e.g. verification, password reset, result/report email, status updates)
  • Newsletter/nurture emails from Germany for Students (multi-part series, tips/updates)
  • Inbound/reply handling (incoming replies and messages via webhook)

12.2 Postmark

AttributeDetails
ProviderAC PM, LLC (Postmark), 222 N LaSalle St, Chicago, IL 60601, USA
RoleData processor (DPA pursuant to Art. 28 GDPR concluded)
PurposeTransactional emails, newsletter/nurture, inbound/reply handling
Legal basisArt. 6(1)(b) GDPR (service/process emails); Art. 6(1)(a) GDPR (newsletter); Art. 6(1)(f) GDPR (reliable operation)
Third countryUSA
SafeguardEU-US Data Privacy Framework (DPF) – Postmark is DPF-certified; additionally Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
Residual riskDespite DPF certification, there remains a residual risk of government access under US law (e.g. FISA 702). In our assessment, the remaining risk is proportionate given the nature of the data processed.
RetentionDelivery logs: 45 days (Postmark standard); then automatic deletion by the provider

Inbound/reply handling: Incoming email replies are received by Postmark and forwarded to the platform via webhook. Postmark processes sender address, subject and message content.

13. Online marketing (only with consent)

All services described below are activated only after your express consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG). You can withdraw your consent at any time via the cookie settings.

13.1 Google Tag Manager (GTM)

AttributeDetails
ProviderGoogle Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
RoleData processor (DPA via Google Ads/Analytics terms of use)
PurposeTechnical container for managing and deploying tracking tags (GA4, Google Ads, Meta Pixel, etc.) – no standalone tracking
Legal basisArt. 6(1)(a) GDPR; Section 25(1) TDDDG
Third countryUSA (Google LLC)
SafeguardEU-US Data Privacy Framework (DPF); additionally SCC pursuant to Art. 46(2)(c) GDPR
RetentionNo standalone data storage by GTM

13.2 Google Analytics 4 (GA4)

AttributeDetails
ProviderGoogle Ireland Limited, Ireland / Google LLC, USA
RoleData processor (DPA concluded)
PurposeReach measurement, user behaviour, page views, conversion tracking
Data processedIP address (truncated/anonymised), device data, page views, events, user ID where applicable
Legal basisArt. 6(1)(a) GDPR; Section 25(1) TDDDG
Third countryUSA
SafeguardEU-US Data Privacy Framework (DPF); SCC pursuant to Art. 46(2)(c) GDPR
Residual riskResidual risk of government access under US law; IP anonymisation enabled
RetentionEvent data: 14 months (configured); then automatic deletion

13.3 Google Ads (conversion tracking & remarketing)

AttributeDetails
ProviderGoogle Ireland Limited, Ireland / Google LLC, USA
RoleGoogle processes data partly as a data processor and partly for its own purposes within the respective Google services. Details are set out in Google's privacy information.
PurposeMeasurement of conversions from Google ads; remarketing (re-engaging website visitors)
Data processedClick IDs, conversion events, hashed identification attributes where applicable (e.g. email address, phone number, first and last name, region/state, postcode) as part of "Enhanced Conversions/Enhanced Matching"
Legal basisArt. 6(1)(a) GDPR; Section 25(1) TDDDG
Third countryUSA
SafeguardEU-US Data Privacy Framework (DPF); SCC pursuant to Art. 46(2)(c) GDPR
RetentionConversion data: 90 days (Google standard)

13.4 Meta Pixel (client-side tracking)

AttributeDetails
ProviderMeta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
RoleIndependent controller
PurposeConversion measurement, audience building, remarketing via Meta platforms (Facebook, Instagram)
Data processedBrowser events, pixel ID, IP address and hashed identification attributes where applicable (e.g. email address, phone number, first and last name, region/state, postcode) as part of "Enhanced Matching"
Legal basisArt. 6(1)(a) GDPR; Section 25(1) TDDDG
Third countryUSA (Meta Platforms, Inc.)
SafeguardSCC pursuant to Art. 46(2)(c) GDPR; additionally EU-US Data Privacy Framework (DPF) where the provider is certified (see Meta's privacy information)
Residual riskResidual risk of government access under US law
RetentionEvent data at Meta: up to 180 days

13.5 Meta Conversion API (CAPI – server-side tracking)

AttributeDetails
ProviderMeta Platforms Ireland Limited, Ireland
RoleIndependent controller
PurposeServer-side transmission of conversion events to Meta to improve measurement quality (in addition to the pixel)
Data processedConversion events, hashed email address where applicable, IP address (hashed), user agent
Legal basisArt. 6(1)(a) GDPR
Third countryUSA
SafeguardSCC pursuant to Art. 46(2)(c) GDPR; EU-US DPF
Residual riskResidual risk of government access under US law
RetentionEvent data at Meta: up to 180 days

13.6 Enhanced matching / extended data matching

We use "Enhanced Matching" / "Enhanced Conversions" for Google Ads and Meta to improve measurement quality. Additional identification attributes are hashed exclusively (SHA-256) before transmission and are not sent in plain text. The hash values serve to better attribute conversion events.

Which data may be transmitted in hashed form (depending on availability)?

  • Email address
  • Phone number
  • First and last name
  • Location data (e.g. region/state)
  • Postcode

Transmission only occurs with your consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG) and only when you are logged in or have provided your contact details as part of a funnel.

We do not transmit plain-text data, but exclusively hash values. Important: hashing generally constitutes pseudonymisation rather than anonymisation. Providers may – depending on their own data holdings and matching mechanisms – potentially re-identify persons from hash values. Use is exclusively for measurement/attribution purposes (conversion attribution) and not to contact you.

14. Affiliate links and commission models

On individual pages (in particular in the marketplace at germanyforstudents.com/de/marketplace), affiliate links to partner offers are embedded. When you click such a link, your click is recorded by the respective affiliate network and attributed to a commission. The networks typically process: referrer URL, timestamp, click ID/tracking parameters and, where applicable, truncated IP address and a pseudonymous user hash.

The networks also process this data for their own purposes in part (e.g. fraud detection, publisher billing, own statistics) and are in this respect independent controllers within the meaning of the GDPR. The partners' own privacy notices apply to processing on their destination pages.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in performance-based remuneration of advertising partners and abuse prevention) in conjunction with Section 25(2) No. 2 TDDDG (insofar as tracking is technically required for commission billing and no further profiling takes place).

We work with the following affiliate networks:

14.1 communicationAds

Provider: Virtual Minds GmbH (communicationAds), Germany
Tracking domain: communicationads.net
Purpose: click and conversion tracking for commission billing
Privacy: https://www.communicationads.net/de-de/ueberuns/datenschutz/

14.2 FinanceQuality / netzeffekt

Provider: netzeffekt GmbH, Theresienhöhe 28, 80339 Munich, Germany
Tracking domain: neqty.net (c.neqty.net, l.neqty.net)
Purpose: click and conversion tracking for commission billing; merging click and conversion data for publisher billing
Privacy: https://network.financequality.net/privacy-policy.do

14.3 financeAds

Provider: financeAds International GmbH & Co. KG, Germany
Purpose: click and conversion tracking for commission billing
Privacy: https://www.financeads.net/datenschutz

14.4 AWIN

Provider: Awin AG, Eichhornstraße 3, 10785 Berlin, Germany
Purpose: click and conversion tracking for commission billing
Privacy: https://www.awin.com/de/datenschutzerklarung

15. Retention and deletion (pragmatic target rules)

We store personal data only for as long as necessary for the respective purposes.

15.1 Leads (quiz/readiness without registration)

This rule applies exclusively to persons who completed the study quiz or readiness check without creating a customer account (so-called leads without registration). It does not apply to registered users with an account (→ section 15.4).

Lead data (including answers/score, contact data, attribution data) is stored until:

  • you withdraw your consent, or
  • 24 months without further interaction (inactivity),
  • whichever occurs first.

Rationale: Leads without an account have no active user relationship. Unlimited storage would not be permissible without a legal basis. The 24-month period reflects the typical preparation period for prospective students and applies only to this group.

15.2 Attribution data (UTM, gfs_origin, gfs_mail_target)

Server-side stored attribution data is deleted together with the associated lead or user record:

  • For leads: after 24 months of inactivity or upon withdrawal of consent (see 15.1)
  • For user accounts: within 30 days of account deletion (see 15.4)

15.3 Consent and proof records

We retain records of consents (including logging) to fulfil our accountability obligations for 3 years from the end of the year in which consent was withdrawn or the user relationship ended.

15.4 Customer account (registered users)

Registered users with an account are not subject to the 24-month inactivity rule in section 15.1. Their data is stored for as long as the account remains active.

  • Active accounts: Account data (profile, application history, consents, attribution data) remains stored for as long as the account exists – regardless of how long the user has been inactive. Students preparing for their studies over 1–3 years do not lose their account during this time.
  • After active account deletion by the user: Pure account data (login, sessions, profile) is deleted or anonymised within 30 days, unless retention obligations or proof requirements apply.
  • Optional inactivity reminder: After very long inactivity (e.g. more than 24 months without login), we may send a reminder email to check whether the account is still wanted. Automatic deletion does not occur without prior notice and an opportunity to respond.

15.5 Applications/contract and proof data

Data required to document applications, mediation processes, consents and, where applicable, billing-relevant proofs may be stored longer insofar as required to fulfil legal obligations or to assert or defend legal claims (e.g. commercial and tax retention periods).

16. Your rights

Subject to the relevant conditions, you have the following rights:

  • access (Art. 15 GDPR)
  • rectification (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • objection (Art. 21 GDPR), in particular to processing based on legitimate interests
  • withdrawal of consent (Art. 7(3) GDPR)

16.1 Withdrawal of partner contact

You can withdraw consent to data transfer to a product partner at any time:

  • Registered users: withdrawal per partner in the "Privacy & consents" section in the dashboard.
  • Guests (without account): withdrawal via the withdrawal link in the confirmation or partner email or by email to d.baumann@finease-fs.de.

Withdrawal is logged with a timestamp and results in the affected partner no longer having access to your data in the /p/ portal.

16.2 Withdrawal of newsletter/nurture

Unsubscribe via the unsubscribe link in each email or in the account under "Privacy & consents".

17. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law (Art. 77 GDPR).

18. Changes to this privacy policy

We may amend this privacy policy when the legal situation, platform features or services used change. The current version published on the website applies.

Last updated: 14 July 2026