Privacy Policy
This English version is provided for convenience. The German version is legally binding.
1. Controller
The controller for data processing on this website is:
DKM MEDIA GROUP – FZCO
Building A1, Dubai Digital Park
Dubai Silicon Oasis
Dubai, United Arab Emirates
Email: contact@shipsmartify.com
2. General Information
The protection of your personal data is important to us. We process personal data of visitors to this website exclusively within the framework of the applicable data protection regulations (in particular the GDPR) and only to the extent necessary to provide a functional website, to process contact and application requests, and to ensure technical and organizational security.
This website serves to provide general information about ShipSmartify and our services, to enable contact requests and career applications, and to provide the sourcing platform SmartSource for registered business customers. The SmartSource platform is used to handle sourcing requests, quote comparisons, shipping calculations and the communication between customers and source managers.
3. What Data We Process
3.1 When Visiting the Website
- IP address (truncated where analytics is active)
- date and time of access
- pages and files accessed
- referrer URL
- browser type and browser version
- operating system and device information
- language settings
- UTM parameters and, where applicable, click IDs (gclid, fbclid) for attributing the traffic source
3.2 For Contact and Lead Forms (Initial Consultation, Sourcing, AI Support Waitlist)
- name
- email address
- phone number, if provided
- company and shop URL, if provided
- monthly order or sourcing volume, if provided
- business model (D2C / B2B), growth stage, timeframe
- preferred contact channel (email, WhatsApp, phone, Instagram)
- main concern / selected levers
- content of the free-text message
- technical lead metadata (source, score, timestamp)
3.3 For Career Applications
- name, email address
- phone number, city/country (if provided)
- LinkedIn and portfolio/GitHub URL (if provided)
- professional experience, knowledge, motivation (free text)
- earliest possible start date, salary expectations
- desired position
- uploaded application documents (CV, cover letter) as PDF/DOC/DOCX
Application documents are stored in a private, encrypted file bucket with our database provider (see Section 6) and are used only internally for review and selection as part of the application process.
3.4 For Registration and Use of the SmartSource Platform
For the registration and use of the SmartSource sourcing platform, we process the following data exclusively from business customers (see Clause 12 of the GTC):
- email address (for account login and confirmation emails)
- encrypted password hash or authentication token for magic link login
- first and last name, optional company
- optional phone number
- role within the platform (customer, source manager, admin source manager)
- session data and login timestamps for authentication
- account status (active, suspended, reason for suspension) as well as consent to the GTC and Privacy Policy
- IP address and device information for spam and abuse prevention
3.5 For Sourcing Requests, Quotes and Platform Communication
When processing sourcing requests (so-called "tickets"), the following data is stored:
- the product description, category, subtypes, quantities, target markets and sales channels specified in the wizard
- product images, specifications and other files uploaded by the customer
- ticket status, history and internal processing notes of our source managers
- quotes from the requested suppliers including internal calculation data (unit prices, margins, shipping calculation)
- quote options accepted or selected by the customer
- content of all messages in the ticket chat including timestamp and author
- file attachments in the chat (images, PDFs, office documents, ZIPs)
- compliance snapshots generated by us on the basis of the request data
- optional internal manager notes (e.g. customer classification, negotiation leeway) that can only be viewed by source managers with the corresponding authorization
Uploaded files are stored in private, encrypted storage buckets (see Section 6) and are accessible exclusively to authorized persons (the customer as owner of the respective ticket, source managers) via signed, time-limited URLs.
3.6 Email Notifications via the SmartSource Platform
As part of platform use, we send transactional emails to the registered address, in particular:
- confirmation email upon account registration
- password reset emails (upon request)
- magic link login emails (if this login method is chosen)
- status change emails for significant ticket updates
- emails to source managers upon @-mentions in internal notes
- invitation emails to newly invited team members
These emails are technically necessary for the provision of the platform services (Art. 6(1)(b) GDPR). These addresses are not used for advertising purposes without separate consent.
4. Purposes of Data Processing
- provision and delivery of the website and the SmartSource platform
- authentication of registered customers and source managers (sessions, login)
- processing of sourcing requests (wizard, tickets, quotes, shipping calculation)
- communication between customers and source managers (ticket chat, file attachments)
- creation of compliance snapshots and knowledge base notices
- sending transactional emails (confirmations, status updates, mentions)
- processing of contact, lead and application requests
- performance measurement and optimization of our marketing campaigns (only with consent)
- audience measurement and improvement of website content (only with consent)
- internal processing and CRM notes for following up on requests
- abuse prevention, spam protection and technical administration
- ensuring the stability and security of the entire infrastructure
5. Legal Bases for Processing
Insofar as personal data is processed for the technical provision and security of the website, this is based on our legitimate interest in a secure and functional online presence (Art. 6(1)(f) GDPR).
If you contact us, the processing is carried out to handle your request and, where applicable, to implement pre-contractual measures (Art. 6(1)(b) GDPR).
The processing of your data for the use of the SmartSource platform (account registration, wizard, tickets, quotes, chat, file uploads, compliance snapshots) is carried out for the performance of a contract and for the implementation of pre-contractual measures (Art. 6(1)(b) GDPR). The processing of internal notes and the retention of audit data is based on our legitimate interest in legally compliant and traceable sourcing support (Art. 6(1)(f) GDPR).
Application data is processed on the basis of the initiation of an employment relationship (Art. 6(1)(b) GDPR or Section 26 of the German Federal Data Protection Act (BDSG) for applicants residing in Germany).
We use cookies and pixels for analytics and marketing purposes exclusively on the basis of your consent (Art. 6(1)(a) GDPR, Section 25(1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG)). You can withdraw any consent you have given at any time with effect for the future.
6. Hosting, Infrastructure and Processors
We use the following service providers for operation, storage and communication. They act on our instructions within the framework of data processing agreements or comparable contractual safeguards.
6.1 Hosting & Delivery
- Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA: hosting, global CDN delivery, edge functions.
- GitHub, Inc., 88 Colin P. Kelly Jr. St, San Francisco, CA 94107, USA: source code management and deployment triggers.
6.2 Database, Authentication & File Storage
- Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992: encrypted Postgres database for leads, applications, SmartSource accounts, tickets, quotes, chat logs and compliance snapshots. Supabase Auth for account login, password hashing and session management. Several private, encrypted storage buckets:
wizard-uploads(product images from the request wizard),quote-images(product images for quotes provided by our source managers) andchat-files(file attachments in the ticket chat). Access to bucket contents takes place exclusively via signed, short-lived URLs (typically valid for 60 minutes) and by authorized persons (the customer as ticket owner as well as source managers). Data is hosted in EU regions.
6.3 Email Delivery
- Resend, Inc., 2261 Market Street #4382, San Francisco, CA 94114, USA: sending confirmation and internal notification emails (e.g. after receipt of a lead or an application).
6.4 Internal Task Management
- ClickUp (Mango Technologies, Inc.), 350 Tenth Avenue #1500, San Diego, CA 92101, USA: automatic creation of internal tasks for particularly qualified requests (hot leads). Only the lead master data necessary for processing is transferred.
6.5 Spam and Bot Prevention
- Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA: bot and spam prevention via Cloudflare Turnstile on the public forms (lead forms, SmartSource login and registration). Device and browser signals are transmitted to validate that the request originates from a real person. No tracking cookies are set. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against abuse).
6.6 Access by Our Team
Within DKM MEDIA GROUP – FZCO, our source managers and admin source managers may, as part of their duties, access sourcing tickets, quotes, chat histories and file attachments of the customer assigned to them. Access is role-based and technically secured through row-level security in the database. All team members are contractually bound to confidentiality.
6.7 Data Transfers to Third Countries
Transfers to third countries (in particular the USA) are possible. We ensure that any such transfer takes place only on the basis of appropriate safeguards, in particular EU standard contractual clauses (SCCs) as well as supplementary technical and organizational measures.
7. Cookies and Tracking
This website uses cookies and comparable technologies (e.g. localStorage) to provide functions, to analyze usage behavior anonymously and, with corresponding consent, to display personalized advertising and measure its performance.
On your first visit to the website, we ask for your consent via a cookie banner. You can adjust your selection at any time by reopening the banner (e.g. by clearing your browser storage for this domain) or by contacting us informally.
7.1 Necessary Cookies
These are required for the technical operation of the website (e.g. storing your cookie selection, form protection, spam prevention, admin login). Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 25(2) no. 2 TTDSG (German Telecommunications and Telemedia Data Protection Act).
7.2 Audience Measurement: Google Analytics 4
If you consent, we use Google Analytics 4 to obtain anonymized usage statistics (page views, time on site, traffic sources, conversion paths). The IP address is truncated before storage (IP anonymization, anonymize_ip: true). No cross-site tracking takes place.
Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Data may be transferred to the USA by Google LLC. Legal basis: Art. 6(1)(a) GDPR (consent).
7.3 Marketing Pixels and Conversion Tracking
If you consent, we use pixels and conversion tags from the following providers. They enable us to measure the effectiveness of our advertisements, to attribute conversions (e.g. initial consultation requests, career applications) to the respective campaigns, and to use remarketing to specifically address people who have already visited our website.
- Meta Pixel (Facebook & Instagram Ads). Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Transfer to the USA possible.
- Google Ads conversion tracking. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Transfer to the USA by Google LLC possible.
- TikTok Pixel. Provider: TikTok Technology Ltd., 10 Earlsfort Terrace, Dublin 2, Ireland. Transfer to the USA, the United Kingdom or other third countries possible.
In particular, the following data may be transmitted to the providers via the pixels: truncated IP address, browser and device information, pages visited, triggered events (e.g. "Lead", "PageView", "Conversion"), click IDs (gclid, fbclid) and a pseudonymized user ID of the respective pixel. Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time; the pixels are then deactivated immediately.
7.4 Server-Side Conversion Tracking (Meta Conversions API)
Independently of the browser pixel described above, we use the Meta Conversions API (CAPI) for the server-side transmission of anonymized page view events to Meta. Unlike the browser pixel, this transmission sets no cookies on your device and transmits no personal identifiers such as email address, name or phone number.
Only the following is transmitted: the URL accessed, IP address, browser identifier (user agent) and, where applicable, click IDs from advertising links (fbclid). Meta uses this data exclusively to measure the reach and effectiveness of our advertisements and to improve ad targeting quality (e.g. lookalike audiences). ShipSmartify does not identify individual users.
Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Transfer to the USA possible (standard contractual clauses pursuant to Art. 46 GDPR). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient advertising and performance measurement without further identification). You can object to this processing at any time by sending an informal message to contact@shipsmartify.com; we will then remove you from the server-side events.
7.5 Microsoft Clarity: Audience and Behavior Analysis
If you consent, we use Microsoft Clarity to obtain anonymized usage statistics (heatmaps and aggregated session replays). This helps us understand where users click on our website and where they may get stuck, exclusively for the purpose of improving the user experience.
Personal input in forms is automatically masked by Clarity and not recorded. IP addresses are truncated. Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Data may be transferred to the USA by Microsoft Corporation. Legal basis: Art. 6(1)(a) GDPR (consent).
7.6 Embedded YouTube Video (Contact Page)
A video hosted on YouTube is embedded on our contact page. We use the privacy-enhanced mode (youtube-nocookie.com) for this. As long as you do not play the video, only a static preview image is loaded from YouTube; no cookies are set and no usage behavior is recorded.
Only when you click the play button does your browser establish a connection to the servers of YouTube. In doing so, YouTube may process, among other things, your IP address, device and browser information as well as data about the video played. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. A transfer to the USA by Google LLC is possible. Legal basis: Art. 6(1)(a) GDPR (consent through actively clicking on the video).
7.7 Google Consent Mode v2
We use Google Consent Mode v2. If you reject cookies, Google only receives aggregated, device-less signals without personal identifiers. No tracking cookies are set. In this case, the Meta and TikTok pixels are not loaded at all.
8. No Disclosure for Third-Party Advertising Purposes
We do not disclose personal data to third parties for their own advertising or commercial purposes. In particular, we do not sell or rent lead or applicant data.
Processing by the technical service providers named in Section 6 takes place exclusively on our instructions for hosting, infrastructure, communication, security or the processing of requests and applications.
9. Storage Period
- technical log data: only for the time required for security and operation
- lead and request data (outside SmartSource): as long as necessary for processing and follow-up communication; at the latest after 24 months, unless a contractual or statutory retention obligation applies
- SmartSource account data: for the duration of the existing platform relationship and, after its termination, to the extent required to fulfill statutory retention obligations (in particular under commercial and tax law, typically up to 10 years)
- tickets, quotes, chat histories, compliance snapshots and uploaded files: for the duration of the ongoing sourcing relationship and, where applicable, beyond that for the duration of statutory retention obligations or to document the sourcing activities carried out
- application documents: up to 6 months after completion of the application process; with express consent, longer inclusion in an applicant pool is possible
- consent status (cookie selection): stored in the user's browser for up to 12 months, can be reset at any time
- beyond that, only insofar as statutory retention obligations exist
Upon express request, we delete or anonymize account and ticket data as soon as no statutory, contractual or legitimate interests require further storage.
10. International Data Processing
Since DKM MEDIA GROUP – FZCO is based in Dubai (United Arab Emirates) and some of the technical service providers used operate servers in the USA, Singapore or other third countries, personal data may be processed outside your country of residence.
We ensure that such processing takes place only to the extent necessary and subject to appropriate safeguards (in particular EU standard contractual clauses and supplementary protective measures).
11. Your Rights
To the extent provided by law, you have the right:
- to request information about the data stored about you (Art. 15 GDPR)
- to have inaccurate data rectified (Art. 16 GDPR)
- to request the erasure of your data (Art. 17 GDPR)
- to request the restriction of processing (Art. 18 GDPR)
- to object to the processing (Art. 21 GDPR)
- to request data portability (Art. 20 GDPR)
- to withdraw any consent given with effect for the future (Art. 7(3) GDPR)
- to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, an informal message is sufficient: contact@shipsmartify.com
12. Data Security
We take appropriate technical and organizational measures to protect personal data against loss, unauthorized access, misuse or impermissible disclosure. These include in particular:
- TLS-encrypted transmission throughout (HTTPS)
- encrypted storage of database contents and file buckets
- hashing of all passwords using modern standard algorithms (Argon2/bcrypt via Supabase Auth)
- row-level security at the database level, so that customers can only view their own data and managers only their assigned tickets
- access to uploaded files exclusively via signed, short-lived URLs; storage buckets are not publicly accessible
- role-based permissions for source managers and admin source managers
- spam and bot prevention via Cloudflare Turnstile on public forms
- rate limiting on sensitive API endpoints (login, chat uploads, lead submission)
- regular backups by our database provider Supabase
- separately protected admin area with separate authentication
13. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy with effect for the future if this becomes necessary due to technical, legal or organizational changes.
Last updated: June 3, 2026