CellAlert

Legal

Privacy

Information on the processing of your data pursuant to Art. 13 of the General Data Protection Regulation (GDPR).

This privacy policy applies to this website as well as to the CellAlert app (app.cellalert.app) and the Office add-in (office.cellalert.app). Processing within the product is described in section 9.

Last updated: 4 June 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the GDPR is:

Balane GmbH
Balanstraße 84
81541 Munich
Germany

Email: contact@balane.tech

Managing Director: Jonas David Höttler

2. Data protection officer

We have not appointed a data protection officer, as the legal requirements under Art. 37 GDPR in conjunction with § 38 BDSG do not apply. For data protection matters, please contact us directly at contact@balane.tech.

3. General information

The following notes provide an overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally (Art. 4 No. 1 GDPR).

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the padlock symbol in your browser bar and by the fact that the address line begins with “https://”.

Cookies

This website does not set cookies. Reach measurement (section 5) is cookieless. We only access information on your device (§ 25 TDDDG) with your consent — for the optional session recording (section 6); your decision is stored in your browser's local storage.

Fonts (web fonts)

This website uses the fonts “Anton” and “Archivo”. The font files are embedded once at the time of the project build and are then delivered exclusively from the server of our hosting provider (see section 4) (self-hosting). When you access this website, no connection is established to Google servers and your IP address is not transmitted to Google LLC.

Automated decision-making

Automated decision-making, including profiling, pursuant to Art. 22 GDPR does not take place.

4. Hosting & server logs (Vercel)

Hosting provider

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA

Nature and scope of processing

When you visit this website, the hosting provider automatically stores technical information in server log files:

Purpose of processing

Processing takes place for the technical provision of the website, to ensure system security (e.g. defence against attacks) and to optimise our online offering.

Legal basis

Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the proper functioning, security and availability of our website.

Storage period

The log data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is regularly the case after 7 to 30 days.

Third-country transfer (USA)

Vercel Inc. is based in the USA and operates servers worldwide, including outside the EU. The transfer of data to the USA takes place on the basis of Art. 45 (3) GDPR in conjunction with the European Commission's adequacy decision of 10 July 2023 on the EU-US Data Privacy Framework (DPF), under which Vercel Inc. is certified. In addition, we have concluded a data processing agreement with Vercel pursuant to Art. 28 GDPR, including the EU standard contractual clauses as an additional safeguard. Access by authorities on the basis of US surveillance laws (e.g. FISA 702, CLOUD Act) cannot be completely ruled out from a technical standpoint.

5. Reach measurement (Umami)

This website uses Umami, a privacy-friendly open-source web analytics software that we operate on an instance run by us.

Nature and scope of processing

Umami collects the following data for each page view:

Umami does not set cookies and does not access information on your device within the meaning of § 25 (1) TDDDG (no access to local/session storage, no fingerprinting). A hash value is generated server-side on a daily basis from the IP address and user agent; it serves to distinguish returning visitors within a single day and is then discarded.

Purpose of processing

Reach measurement, analysis of usage behaviour on an aggregated basis and optimisation of our online offering.

Legal basis

As no access to device information within the meaning of § 25 (1) TDDDG takes place, no consent is required. The remaining processing of the hashed IP address is carried out on the basis of Art. 6 (1) (f) GDPR. Our legitimate interest lies in data-minimising reach measurement and quality assurance of our online offering.

Hosting / third-country transfer

Our Umami instance is operated on infrastructure provided by Railway Corp., 2261 Market Street #4059, San Francisco, CA 94114, USA. The servers are located in a region within the European Union (Amsterdam, Netherlands). As the provider of the infrastructure, Railway Corp. is nonetheless a US company; the transfer to Railway Corp. therefore constitutes a third-country transfer within the meaning of Art. 44 GDPR. We have concluded a data processing agreement with Railway Corp. pursuant to Art. 28 GDPR, including the EU standard contractual clauses as an additional safeguard (Art. 46 (2) (c) GDPR). Access by authorities under US law (CLOUD Act, FISA 702) cannot be completely ruled out; as a supplementary technical protective measure, IP addresses are hashed server-side and not stored in plain text.

Storage period

Aggregated usage statistics are retained for 24 months and then deleted. Pseudonymous individual records are not stored for longer than 30 days.

6. Session recording (OpenReplay)

In addition to aggregated reach measurement, we use OpenReplay, an open-source software for the pseudonymous recording of individual sessions on this website. OpenReplay is hosted by us; no transfer to the manufacturer or any other third parties takes place. Recording only starts after you have given your consent via the notice at the bottom of the page.

Nature and scope of processing

The following data is collected per session:

Recording takes place with aggressive masking: all input fields as well as automatically detected email addresses, phone numbers and other number sequences are masked in the browser before transmission and are not transferred in plain text. Iframes are not recorded, nor are request/response bodies of network calls. If your browser sends the Do-Not-Track header, no recording takes place regardless of any consent given.

Purpose of processing

Analysis of usage obstacles and error situations, improvement of the usability and technical quality of this website.

Legal basis

As OpenReplay accesses information on your device in order to replay a session (in particular local storage for session assignment), recording requires consent pursuant to § 25 (1) TDDDG. The processing of the data collected in this way is based on your consent pursuant to Art. 6 (1) (a) GDPR. You can revoke your consent at any time with effect for the future; the lawfulness of the processing carried out up to the point of revocation remains unaffected.

Revocation / opt-out

You can change your decision at any time by deleting the localStorage entry cellalert.consent.replay in your browser — the consent notice will be displayed again the next time you visit the page. Alternatively, activate your browser's Do-Not-Track header; in that case, no recording takes place even if consent has been given.

Hosting / third-country transfer

Our OpenReplay instance is operated on infrastructure provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. The servers are located in a data centre in Nuremberg, Germany. No transfer to a third country takes place. We have concluded a data processing agreement with Hetzner pursuant to Art. 28 GDPR.

Storage period

Session recordings are automatically deleted after no later than 30 days. Aggregated analyses (e.g. heatmaps, error statistics) may be retained for up to 12 months.

7. Support requests (contact form)

On our support page you can reach us via a contact form. In doing so, we process the data you provide: name (optional), email address, subject (optional) and the content of your message.

Purpose of processing

Receipt and handling of your support or contact request.

Legal basis

For requests relating to a (potential) contract: Art. 6 (1) (b) GDPR (performance of pre-contractual measures / performance of a contract). For other requests: Art. 6 (1) (f) GDPR (legitimate interest in responding to your request).

Service providers used

Your form message is created directly as a ticket in our helpdesk system Zammad (support group “CellAlert”) via a secured interface. We operate Zammad ourselves on infrastructure provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (servers in Nuremberg). No transfer to a third country takes place in this process. A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner. For confirmation and follow-up questions, Zammad sends emails to the address you provided.

You can view the status of your ticket yourself at any time in the support portal. Sign in there with the email address you provided and set a password via “Forgot password” — this way you have access even if a notification email lands in your spam folder.

Storage period

The data is deleted as soon as the handling of your request has been completed and no statutory retention obligations (in particular § 257 HGB, § 147 AO) apply. Requests that have not led to a business relationship are deleted no later than 12 months after the last contact.

8. Payment processing & licence management

To purchase paid plans, you are redirected to the checkout of our payment service provider LemonSqueezy. LemonSqueezy acts as a “Merchant of Record” and handles the payment process on its own responsibility; in this respect, LemonSqueezy's privacy policy applies. The provider is Lemon Squeezy, LLC, USA. The transfer to the USA constitutes a third-country transfer within the meaning of Art. 44 GDPR.

After a successful purchase, we receive the order data required for licence and account management from LemonSqueezy via webhook (in particular email address as well as order and licence information). We store this with Supabase (Supabase Inc., USA) in a database region within the EU (Frankfurt am Main). A data processing agreement pursuant to Art. 28 GDPR, including the EU standard contractual clauses, is in place with Supabase.

Purpose of processing

Performance of the purchase contract as well as provision and management of the purchased licence.

Legal basis

Art. 6 (1) (b) GDPR (performance of a contract).

9. Use of the CellAlert app, the add-in and reminders

Beyond your visit to this website, we process personal data when you use the CellAlert app (app.cellalert.app), the Office add-in (office.cellalert.app) or the reminder function.

Account & registration

To use the service you register with an email address and password; this creates an organization owned by you. Authentication and database are operated via Supabase in a region within the EU (Frankfurt am Main). Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).

Deadline metadata & cell references

CellAlert stores the metadata required to monitor deadlines (e.g. title, date, category, responsible person) and a reference to the respective cell (file/sheet/cell) — deliberately not the content of your Excel file. Storage takes place with Supabase (EU/Frankfurt). Legal basis: Art. 6 (1) (b) GDPR.

Reminder emails

To deliver deadline reminders we send emails via the service Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France). The recipients' email address and the content of the reminder are transmitted. A data processing agreement pursuant to Art. 28 GDPR is in place with Brevo. Legal basis: Art. 6 (1) (b) GDPR.

Office add-in

The Office add-in (office.cellalert.app) lets you create deadlines directly from Microsoft Excel/Office. Only the date and cell information you select is transmitted to CellAlert, not the entire file. The above notes on account, storage (Supabase) and reminders apply accordingly.

10. External links to third parties

This website contains links to external platforms, such as the checkout of our payment service provider LemonSqueezy as well as download sources for our application. When you click on such links, you leave our website and the respective privacy policies of the linked providers apply. We have no influence on their data processing and accept no responsibility for it.

11. Template downloads & newsletter (Brevo)

On the “Templates” page you can request free Excel templates. To do so you provide your email address (optionally your name); we then send you the download link by email. Delivery takes place via the service Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France), with whom a data processing agreement pursuant to Art. 28 GDPR is in place.

Purpose & legal basis

Sending you the template you requested is based on Art. 6 (1) (b) GDPR (performance of a service provided at your request). This processing is not tied to any consent to the newsletter.

Newsletter (only with consent)

Optionally, you can consent to occasionally receiving tips and news about CellAlert by email. This consent is voluntary and not a precondition for the template download. You are added to our newsletter list at Brevo using a double opt-in procedure: you first receive a confirmation email and are only added to the list after clicking the confirmation link. Legal basis: Art. 6 (1) (a) GDPR (consent). You can withdraw your consent at any time with effect for the future, for example via the unsubscribe link in every newsletter email.

Storage period

For a pure template request without newsletter consent, we process your email address only to send the template and do not store any further list entry. With newsletter consent, your data remains on the list until you unsubscribe or withdraw your consent.

12. Overview of recipients

We only transfer your personal data to the following recipients, in each case on the basis of a data processing agreement pursuant to Art. 28 GDPR or — in the case of LemonSqueezy — to a controller independently responsible for payment processing:

No further transfer to third parties (e.g. for advertising purposes) takes place.

13. Data backups

To ensure data security and recoverability, we create regular backups of the systems we operate (in particular the Umami and OpenReplay instances). Backups are stored encrypted and overwritten on a rolling basis after no later than 30 days. Legal basis: Art. 6 (1) (f) GDPR in conjunction with Art. 32 GDPR (security of processing).

14. Your rights as a data subject

You have the following rights with regard to your personal data. You can assert all rights informally by email to contact@balane.tech.

Right of access (Art. 15 GDPR)

You have the right to request information about your personal data processed by us.

Right to rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate data or the completion of your stored data.

Right to erasure (Art. 17 GDPR)

You have the right to request the erasure of the data stored by us, insofar as processing is not necessary for the exercise of the right to freedom of expression, for compliance with legal obligations, for reasons of public interest, or for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data.

Right to data portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format or to request its transmission to another controller.

Right to withdraw consent (Art. 7 (3) GDPR)

Insofar as processing is based on your consent, you can withdraw it at any time with effect for the future. The lawfulness of the processing carried out until withdrawal remains unaffected.

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your residence, your place of work or the place of the alleged infringement (see section 16).

15. Right to object under Art. 21 GDPR

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR (legitimate interest).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

Contact for objections: contact@balane.tech

16. Competent supervisory authority

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

Phone: +49 (0) 981 180093-0

Email: poststelle@lda.bayern.de

Website: www.lda.bayern.de

17. Changes to this privacy policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or in order to reflect changes to our services. The version current at the time of your visit to the website applies. Version date: 4 June 2026.