studentive.

Disclaimer: This is a courtesy translation of the German Privacy Policy (Datenschutzerklärung). Only the German version available at studentive.de/datenschutz is legally binding. This English translation is provided for informational purposes only and has no legal effect.

Privacy Policy

Last updated: October 7, 2025

1. Privacy at a glance

Scope

This privacy policy applies to all online services we provide:

General notes

The following notes provide a simple overview of what happens to your personal data when you use our services. Personal data means any information relating to an identified or identifiable natural person. Detailed information can be found in the sections below.

Data collection in website, web app and mobile app

Who is responsible?

Processing is carried out by the provider named in the section “Controller and contact details”.

How do we collect your data?

Some data is collected when you provide it to us yourself (e.g. during registration, profile setup, messages on the platform, support requests).

Other data is collected automatically or after your consent when you use our services (e.g. technical data/log files, usage data in the web and mobile app; details below).

What do we use your data for?

To provide the website and apps, to operate and improve our matching service, to communicate (e.g. messages, email, push notifications), for security/error analysis and—after consent—for analytics. Legal bases can be found in the section “General notes on legal bases”.

What are your rights?

You have the right at any time to access, rectify, erase or restrict processing, the right to data portability as well as the right to object to processing under Art. 6(1)(e) or (f) GDPR and to direct marketing (see section “Your rights”). You can contact us at any time.

2. Hosting & operations

We host content of our website, web app and, where applicable, related backends with the following provider:

Host Europe

Provider: Host Europe GmbH, Hansestraße 111, 51149 Köln (“Host Europe”). When accessing our services, Host Europe records, among other things, server log files including IP address. Details: Host Europe privacy policy .

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in reliable provision). Where consent is requested, processing additionally relies on Art. 6(1)(a) GDPR and § 25(1) TDDDG (e.g. for cookies/device information). Consent can be withdrawn at any time.

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) with Host Europe.

3. General information and mandatory disclosures

Data protection

We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy. Please note that data transmission over the internet (e.g. email) may have security gaps.

Controller and contact details

Controller:

Pancodium GmbH
Philosophenweg 31–33
47051 Duisburg

Phone: 02363-389904
Email: info@pancodium.de

Storage period

Unless a more specific period is stated in this policy, we store personal data only as long as necessary for the respective purpose. After the purpose has been fulfilled or upon a valid objection/withdrawal, we erase the data unless statutory retention obligations prevent this.

General notes on legal bases

Depending on the processing activity, we rely on:

Recipients of personal data

We transfer data to external parties only where a legal basis permits it (e.g. processors/hosting, support, analytics; official requests). We have DPAs in place with processors; in cases of joint controllership, appropriate arrangements exist.

Withdrawal of your consent

You can withdraw consent at any time with effect for the future. The lawfulness of processing prior to withdrawal remains unaffected.

Right to object (Art. 21 GDPR)

You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. In case of objection we will no longer process the personal data unless we can demonstrate compelling legitimate grounds overriding your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

You may object to processing for direct marketing (including any related profiling) at any time.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular at your habitual residence, place of work or the place of the alleged infringement.

Right to data portability, access, rectification, erasure, restriction

Within the limits of the law, you have the aforementioned rights. Please contact us at any time.

SSL/TLS encryption

Our services typically use SSL/TLS encryption. You can recognise an encrypted connection by “https://” and the lock icon in your browser.

4. Data collection and processing by use case

4.1 Server log files (website/web app/backend APIs)

When accessed, server logs are processed automatically (browser type/version, operating system, referrer URL, host name/IP address, time, requested resources). No combination with other data is performed. Legal basis: Art. 6(1)(f) GDPR (technical provision, security).

4.2 Registration, account & matching platform

To use matching features you can create an account. Processed data includes, for example: basic data (name, email, password hash), profile information (e.g. qualifications, interests, location data, availability where provided), platform interactions (e.g. likes/matches/applications), communication content (messages, notifications).

Purposes: account management, provision of matching features, communication between users and with us, abuse prevention. Legal basis: Art. 6(1)(b) GDPR (contract); additionally Art. 6(1)(f) GDPR (security/abuse prevention).

4.2.1 Additional data by audience/use case

4.2.2 Storage period

The above data is generally stored until you delete your account or remove individual entries yourself (e.g. profile content). Statutory retention duties remain unaffected.

4.3 Communication (email, phone, in-app messages, support)

We process requests and support cases to handle your enquiry. Legal bases: Art. 6(1)(b) GDPR (contractual context) or (f) (legitimate interest in efficient handling) or (a) (consent), where given. Storage until the purpose is achieved or as required by law.

4.4 Mobile app: device data, permissions & push notifications

Depending on features, the following data may be processed when using the mobile app:

Legal bases: Art. 6(1)(b) GDPR (use of app features), Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (permissions/push where required). You can adjust permissions and push in your device settings at any time.

4.5 Swipe feature

For the swipe feature we store the swipe result (positive/negative), timestamp and chosen username. Legal basis: Art. 6(1)(a) GDPR (consent). Swipe results are used in a permanently anonymised form to train algorithms.

5. External services & integrations

5.1 PostHog (analytics & product optimisation; error analysis)

We use PostHog (PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA) to analyse usage data in the website, web app and mobile app (product improvement, support). PostHog processes, among other things, technical usage data and interactions; for logged-in usage, identifiers (e.g. email, name) may be associated where required for support/product purposes.

Note for company and university web applications: In business.studentive.app and university.studentive.app we also use PostHog for error analysis.

Consent mode (opt-in): If you agree via our cookie/consent banner, a unique identifier is stored persistently (e.g. cookie/equivalent) to recognise returning users. Legal basis: Art. 6(1)(a) GDPR; § 25(1) TDDDG. Withdrawal possible at any time.

Without opt-in: We perform a strictly limited, non-recognition-based usage analysis without persistent device identifiers (no cookie etc.) and with IP truncation/no cross-device tracking. Legal basis: Art. 6(1)(f) GDPR; § 25(2) TDDDG.

PostHog stores data exclusively on servers within the EU. There is a Data Processing Agreement between Pancodium GmbH and PostHog Inc. (including appropriate safeguards such as Standard Contractual Clauses). Details: PostHog privacy.

5.2 Sentry (error analysis – mobile app & student web app)

Sentry (Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) is used in the mobile app and the student web app (studentive.app) for crash reports and error analysis. Processed data may include error timestamp, device/OS, app version, technical event details, anonymised IP, optional custom logs, user ID, email (if available), and contextual fields (e.g. form inputs). No profiling, no session replay.

Legal bases: Art. 6(1)(f) GDPR (stable/error-free provision); for device-level access additionally Art. 6(1)(a) GDPR and § 25(1) TDDDG. A DPA under Art. 28 GDPR is in place; transfers rely on SCC/DPF (see provider information).

5.3 Laravel Nightwatch (backend monitoring, performance & error analysis)

We use Laravel Nightwatch (Laravel Holdings, Inc., 60 Broad St, 24th Floor #1559, New York, NY 10004, USA) to monitor our backend systems (performance analysis, error reporting, stability). Personal information arising from API interactions may be processed (e.g. timestamps, endpoints, status codes, IP/device info, user/account IDs, error messages/stack traces and, where necessary, contextual content snippets for diagnosis).

Region/storage: We selected the Europe (Frankfurt) region; processing therefore takes place within the EU. A DPA between Pancodium GmbH and Laravel is in place; appropriate safeguards are agreed.

Legal bases: Art. 6(1)(f) GDPR (legitimate interest in secure, stable and performant provision); additionally Art. 6(1)(b) GDPR where required to fulfil contractual obligations (incident remediation).

5.4 DFN-AAI / REFEDS & GEANT (SAML login; federated identity)

We participate in DFN-AAI and observe the GEANT Data Protection Code of Conduct v1 and the REFEDS Data Protection Code of Conduct v2 (“CoCo v2”). We also use REFEDS Personalized. When you sign in via your home organisation (IdP), the required attributes listed below may be released to us; processing is strictly purpose-bound and follows data minimisation.

Transfer to authentication service: Attributes delivered by the IdP are forwarded to AWS Cognito and stored there for account management (see section “5.5 AWS Cognito & Amazon SES”).

5.4.1 Requested (required) attributes

5.4.2 Purpose per attribute

Attribute Purpose Legal basis
subject-id Unique, stable identifier for account assignment, session handling, abuse prevention, security event traceability. Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (security)
mail Contact, account notifications, security notices, account recovery. Art. 6(1)(b) GDPR
givenName, sn Personalisation, name display, workflow assignment. Art. 6(1)(b) GDPR
schacHomeOrganization Assignment to the correct university tenant of studentive; control of institution-specific functions/policies. Art. 6(1)(b) GDPR
eduPersonScopedAffiliation Role and permission management (e.g. student vs. staff/faculty), access to respective functional areas. Art. 6(1)(b) GDPR

5.4.3 Data minimisation, retention, recipients

We process only the attributes listed above and only for the purposes stated. Retention follows the section “Storage period” or the lifetime of your account, unless legal duties require otherwise. No disclosure to third parties except to processors (e.g. hosting/support/authentication) under a DPA or where legally required.

5.4.4 Legal bases & agreements

Processing of DFN-AAI attributes is necessary to provide our service and manage access/authorisation decisions (Art. 6(1)(b) GDPR), complemented by our legitimate interest in secure access management and abuse prevention (Art. 6(1)(f) GDPR). A DPA under Art. 28 GDPR with DFN (Verein zur Förderung eines Deutschen Forschungsnetzes e. V.) is in place.

5.4.5 Additional notes

Depending on the IdP, displayName and eduPersonAssurance may be transmitted; we do not store or process these as they are not required for our service. Where data is transferred outside the EU/EEA, appropriate safeguards (e.g. SCC) are used.

5.5 AWS Cognito & Amazon SES (authentication & email)

Amazon Cognito (Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg) is used for registration, authentication and account management (email, hashed passwords, sign-in data/tokens, IP, device/login metadata). DFN-AAI attributes are forwarded to Cognito and stored there (see 5.4).

Amazon SES is used for authentication-related emails (e.g. confirmations, password resets) and platform notifications. Processing generally occurs in the EU (e.g. Frankfurt region); occasional third-country transfers (notably USA) rely on appropriate safeguards (SCC/DPF). Legal bases: Art. 6(1)(b) and (f) GDPR.

Further info: AWS Privacy, AWS GDPR Center

5.6 DeepL (translations)

DeepL SE, Maarweg 165, 50825 Cologne, Germany. We transmit content to be translated (e.g. job postings, company profiles, free-text, keywords) to DeepL; after the translation process these are deleted there. DeepL may also be used elsewhere wherever a translation feature is indicated in the interface. Legal basis: Art. 6(1)(f) GDPR (multilingual provision). Info: deepl.com/privacy.

5.7 Google Fonts (local hosting)

We use locally hosted Google Fonts; no connection to Google servers is made. Further information: FAQ, Google privacy.

5.8 Stripe (Payment Service Provider – companies only)

For company users, we use the payment service provider Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Irland; “Stripe”) to process payments. Stripe provides the technical infrastructure that enables payment transactions for our services.

Responsibility: The contracting party and data controller for billing purposes remains Pancodium GmbH (not Stripe). Stripe processes personal data solely for the purpose of payment processing as a data processor on behalf of Pancodium GmbH, in accordance with Art. 28 GDPR and based on the Data Processing Agreement (DPA), which is automatically concluded between Stripe and us.

Categories of data processed: Stripe processes in particular payment and billing information (e.g. name, billing address, email address, company details, credit card or bank account data, transaction details, and fraud prevention data).

Legal basis: The processing of personal data by Stripe is based on Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in secure and efficient payment processing).

For more information, please refer to Stripe’s Privacy Policy.

5.9 Supademo (interactive demos & tutorials)

To provide interactive demos and tutorials on our landing page and within our apps, we use Supademo by Supademo, Inc., 651 N Broad St Suite 201, Middletown, DE 19709, USA. Supademo allows us to display guided click-through demonstrations of our platform. Depending on interaction, technical data (e.g. IP address, browser, interaction behaviour in the demo) may be processed. Processing takes place only after your consent within the embedded demo (Supademo’s cookie/tracking banner).

Roles: Supademo acts as a processor under Art. 28 GDPR. A corresponding data processing agreement (DPA) has been concluded with Supademo. Further information can be found in the Supademo privacy policy .

Legal bases: Embedding is based on your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). Without your consent, no processing by Supademo takes place.

5.10 Cal.com (appointment booking & calendar widget)

For booking appointments, we integrate the service Cal.com (Cal.com, Inc., 2261 Market Street, Suite 4382, San Francisco, CA 94114, USA) on our landing page as a widget and use it generally for appointment management. When using this widget or when booking an appointment, personal data is processed. This includes in particular: master data (e.g. name), contact data (e.g. email address, possibly phone number), appointment and communication data (selected slot, timezone, notes, confirmation/reminder emails) as well as technical usage data (e.g. IP address, browser/device information) for providing the widget and for abuse/error prevention.

Purposes: Appointment finding and management, communication around the appointment (confirmations, reminders, changes), as well as technical provision/security of the widget.

Legal bases: Art. 6(1)(b) GDPR (performance of pre-contractual measures/contract performance in connection with the appointment arrangement) and Art. 6(1)(f) GDPR (legitimate interest in efficient appointment organisation as well as in the secure/error-free provision of the widget). Insofar as device information that is not absolutely necessary for the widget is stored or accessed (e.g. non-essential cookies/similar technologies), this is done on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG; technically necessary accesses are based on § 25(2) TDDDG.

Recipients & role understanding: Cal.com acts for us as a processor within the meaning of Art. 28 GDPR. We have concluded a data processing agreement (DPA) with Cal.com.

Third country transfers: Processing may take place in third countries (especially USA). In these cases, appropriate safeguards pursuant to Art. 46 GDPR (e.g. EU Standard Contractual Clauses) are used; in addition, we take supplementary protective measures where necessary.

Storage period: We process the data, as far as necessary, until the respective appointment is processed and beyond that according to legal retention obligations or until you withdraw your consent, insofar as such a legal basis is applicable. Log/technical data is deleted as soon as it is no longer required for the stated purposes.

Notes on embedding: The widget is loaded from Cal.com servers. Depending on how you interact with the widget, Cal.com may use its own cookies or similar technologies for this purpose. These are set – insofar as not technically necessary – only after your consent. You can withdraw given consents at any time with effect for the future (e.g. via our consent banner).

6. Our social media presences

This privacy policy applies to the following presences

Data processing by social networks

When visiting our presences, the respective providers may analyse your usage behaviour (also without login via cookies/device IDs/IP). Providers may create profiles and use them for interest-based advertising. For details, please refer to the privacy notices of the platforms.

Legal bases, responsibility, rights

Our social media presences serve broad public visibility (Art. 6(1)(f) GDPR). Otherwise, the legal bases of the platform operators apply. For Facebook Pages, for example, joint controllership applies (Controller Addendum: link). You can exercise your rights both against us and against the respective operator.

Platform-specific notes (excerpt)

Facebook & Instagram (Meta)

Ad settings: Facebook. Data transfer to the USA based on Standard Contractual Clauses (SCC). Details: SCC Meta, Help, privacy: Facebook, Instagram.

X (formerly Twitter)

Settings: Personalisation. SCC info: link. Privacy: link.

LinkedIn

Disable advertising cookies: link. SCC/DPA: DPA, SCC. Privacy: link.

TikTok

Privacy: link. International data transfers under SCC (see TikTok privacy notices for details).

7. Additional information

Protection of minors

Our services are not intended for children under 16. Persons under 16 may only provide personal data with the consent of their legal guardians.

Security

We implement appropriate technical and organisational measures (TOMs) to protect your data against loss, misuse and unauthorised access.

Changes to this privacy policy

We update this policy when our services or the legal situation require it. The current version applies.