Privacy Policy

Complete Document Content

Privacy Policy

OceanOne - SWIFT17 GmbH

As of: May 2026

Version DS 26. 05

Controller

SWIFT17 GmbH

Zimmermuehlenweg 71, 61440 Oberursel

Commercial Register HRB 16660, Bad Homburg vor der Hoehe District Court

Managing Director: Armand de Beer

Email: armand.debeer@sw-ift.com

General information on data processing

We process personal data exclusively in accordance with applicable data protection laws, in particular the General Data Protection Regulation (GDPR).

Processing is carried out for:

  • Provision of our platform
  • Performance of contracts
  • Technical provision and security
  • Communication with users

Role as controller and processor

SWIFT17 GmbH is the controller within the meaning of the GDPR for data processing in connection with operation of the OceanOne platform and customer relationships.

Where our customers (e.g. companies, self-employed persons) use the OceanOne platform to operate their own websites, booking systems or customer inquiries and process personal data of their own customers or end users, SWIFT17 GmbH acts as a processor within the meaning of Art. 28 GDPR. The basis for this is the Data Processing Agreement (DPA) contained in our General Terms and Conditions.

Data protection responsibility for this data lies with the respective customer as controller. Customers are required to provide their own compliant privacy policy on their own websites.

Contract-related data processing

When using our platform, we process in particular:

  • Master data (name, company, address)
  • Contact data (email, telephone number)
  • Contract data
  • Payment data
  • Usage data
  • Purpose: Contract performance, billing, customer management
  • Legal basis: Art. 6 para. 1 lit. b GDPR

Extended data collection by usage scenarios

Depending on platform usage, the following data may in particular be processed:

  • Registration data (name, email, password, account ID)
  • Payment-related data (billing information, transaction data)
  • Communication data (support requests, emails)
  • Technical access data (IP address, log files, device information)
  • Usage data (interactions within the platform)
  • Content data (website content, booking data, uploaded files)
  • System data (server logs, error reports, performance data)

The specific processing depends on the features and modules used.

Use of the platform and dashboard

When using the platform and customer dashboard, the following data is processed automatically:

  • Login data
  • System access events
  • Technical log data
  • IP addresses
  • Purpose: Provision of the platform, system security, error analysis, abuse detection

Tracking of user behavior for analytics or marketing purposes is currently not carried out in the dashboard.

  • Legal basis: Art. 6 para. 1 lit. f GDPR

Payment processing via Stripe

For payment processing, we use Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

For payment transactions, the required payment data (e.g. credit card data, billing information) is transmitted directly to Stripe. SWIFT17 GmbH does not store full payment method details.

Stripe may transfer data to third countries (in particular the USA). Stripe uses Standard Contractual Clauses pursuant to Art. 46 GDPR for this purpose. Further information can be found in Stripe's privacy policy: https://stripe.com/de/privacy

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance), Art. 6 para. 1 lit. c GDPR (legal obligation)

Domain registration via name.com

For domain registration and management, we use Name.com, Inc., 5765 Centennial Blvd, Denver, Colorado 80219, USA.

The data required for domain registration (e.g. name, address, email) is transmitted for this purpose. Data transfer to the USA takes place on the basis of Standard Contractual Clauses pursuant to Art. 46 GDPR.

  • Legal basis: Art. 6 para. 1 lit. b GDPR

Booking system (Amelia)

For providing online booking functions on websites created through OceanOne, the Amelia plugin (WPeka / TMS Plugins) is used. The plugin is operated on servers within our hosting infrastructure.

In connection with booking processes on customer websites, the following end-customer data of our customers may be processed:

  • Name
  • Email address
  • Telephone number
  • Appointment details

Responsibility for this data lies with the respective OceanOne customer as website operator. Customers are required to provide corresponding information to their end customers.

Legal basis (where we act as processor): Art. 28 GDPR in conjunction with the agreed DPA

Hosting and infrastructure

Our platform and related customer websites are operated via professional hosting infrastructure. Details of the systems used cannot be fully disclosed for operational reasons. However, we ensure that all infrastructure components used comply with GDPR requirements and that suitable technical and organizational measures are implemented to protect personal data.

Where data processing takes place outside the European Union, we ensure that suitable safeguards pursuant to Art. 44 et seq. GDPR are in place, in particular through the use of Standard Contractual Clauses.

Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR

AI-supported functions

OceanOne uses AI technologies for automated creation of website content and structures. In this context, user-provided information (e.g. industry, company name, description, requirements) may be processed to generate personalized website content.

The AI systems and providers used are not disclosed in detail for operational reasons. However, we ensure that:

  • processing is limited to what is necessary for service provision
  • suitable agreements with AI providers are in place (in particular data processing agreements or equivalent arrangements)
  • data transfer to third countries takes place only on the basis of suitable safeguards pursuant to Art. 44 et seq. GDPR

Users are advised not to enter sensitive personal data (e.g. special categories under Art. 9 GDPR) in AI-supported input fields unless expressly intended.

Legal basis: Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR

Automated setup of test, demo or project environments

Where the user activates a corresponding function or consents to it, the provider may automatically create accounts, test environments, temporary website copies, project previews or demo instances.

In this context, user-provided or connected data, content and technical information may be processed insofar as required to provide the respective function.

Temporary environments may be automatically deleted after a defined period.

Legal basis: Art. 6 para. 1 lit. b GDPR and, where applicable, Art. 6 para. 1 lit. a GDPR (consent)

Email and communication

When contact is made (e.g. by email or support form), the following data is processed:

  • Email address
  • Communication content
  • Metadata

Purpose: Handling inquiries, support, contractual communication

Transactional emails (e.g. registration confirmations, invoices) are sent as part of contract performance.

Promotional email communication is currently not carried out.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance), Art. 6 para. 1 lit. f GDPR (legitimate interest)

Use of cookies and similar technologies

Our platform uses cookies and comparable technologies for:

  • Technical provision of the platform
  • Authentication and session management
  • Security and stability

Technically required cookies are used on the basis of Art. 6 para. 1 lit. f GDPR.

Cookies for analytics or marketing purposes are currently not used.

Storage duration

Personal data is only stored for as long as required for:

  • Contract performance
  • Statutory retention obligations (in particular commercial and tax-law periods of up to 10 years)
  • Legitimate interests

After termination of the contractual relationship and expiry of statutory retention obligations, personal data is deleted or anonymized. Short-term data processing (e.g. logs, test data) may be deleted after only a few days or weeks.

Automated decisions

Exclusively automated decision-making within the meaning of Art. 22 GDPR does not take place.

Rights of data subjects

Data subjects have the right to:

  • Access to stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of their data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Withdrawal of consent granted (Art. 7 para. 3 GDPR)

To exercise your rights, an informal message to the following address is sufficient: armand.debeer@sw-ift.com

Right to lodge a complaint

You have the right to lodge a complaint with the competent data protection supervisory authority. For SWIFT17 GmbH (registered office in Hesse), this is:

  • The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)

P.O. Box 3163, 65021 Wiesbaden

  • https://datenschutz.hessen.de

Obligation to provide data

Provision of certain personal data is required for concluding and performing contracts. Without this data, individual platform functions cannot be used or contracts cannot be performed.

Security

We implement technical and organizational measures (TOMs) to protect personal data against loss, manipulation and unauthorized access. Our security measures are regularly reviewed and adapted to the state of the art.

Notification of data breaches

In the event of a personal data breach, notification will be made to the competent supervisory authority and affected data subjects, where legally required, in accordance with Art. 33 and 34 GDPR.

As of: May 2026 | SWIFT17 GmbH for OceanOne