Privacy Policy for ID Garden Beta Service

Last Updated: 04.12.2025
This Privacy Policy governs the processing of personal data in connection with our Secure ID beta service.
From time to time, we may invite users to participate in additional services, pilots, or feedback sessions, which may be provided through other platforms. Where this occurs, we will either update this Privacy Policy or provide you with a separate privacy notice specific to that service.

1. Controller Information

Garden, represented by Defora Networks GmbH, Wallstr. 9, 10179 Berlin, Germany, is the data controller responsible for your personal data collected in relation to your account and use of the Service.

2. The Data We Process and Why (The Legal Basis)

We process the minimal amount of data necessary to provide our cybersecurity service.

Purpose of Processing Types of Data Processed Legal Basis (GDPR)
To provide and improve the core Service (Identify spam, phishing & other cyber threats) Message metadata and content (automated handling and analysis only) Performance of a Contract (Art. 6(1)(b)): This processing is essential for the service you requested.
To create and manage your user account Your email address, login credentials, account settings, transaction history, , billing details, , contact details and other account settings data Performance of a Contract (Art. 6(1)(b)): Necessary to maintain your account.
To communicate with you (e.g., service updates, security alerts, support, when you send us feedback) Your name, email address, chat handle/identifier and the content of our communication. Performance of a Contract (Art. 6(1)(b)) & Legitimate Interests (Art. 6(1)(f)): Necessary for service operation and important notifications.
To improve our Service and assist with future feature design and development Aggregated, anonymised data on threat patterns, service usage and performance. Legitimate Interests (Art. 6(1)(f)): To analyse and improve our product. This data cannot identify you.
To fix defects and performance issues of the Service (Bugs) The minimum personal data required by developers to diagnose a bug or issue with our service. Such data is kept secure and deleted or anonymised once the issue is resolved. Performance of a Contract (Art. 6(1)(b)) & Legitimate Interests (Art. 6(1)(f)): Necessary to ensure reliable and secure operation of the service.
To meet our legal obligations Any personal data required by law, such as location or residency information (e.g., to comply with sanctions laws). This may be calculated from analysis of technical data like IP addresses. Compliance with a Legal Obligation (Art. 6(1)(c)): Necessary by law
To protect our service against abuse, including bot protection Any personal data relevant to detecting and preventing fraud and abuse. This includes technical data such as IP addresses, device and browser details, usage logs, and activity patterns that may indicate suspicious or abusive behaviour. Legitimate Interests (Art. 6(1)(f)): Necessary to ensure the security, integrity, and reliable operation of our services.

3. How We Share Your Data

  • Sub-processors: We use trusted third-party service providers (sub-processors) to host our service and infrastructure. These providers process data on our instructions and are bound by strict contractual obligations. We only share the minimum required personal data with sub-processors. Sub-processors are listed below at section 5.
  • Legal Obligations: We may disclose data if required by law, such as to comply with a subpoena or other legal process.

We do not and will not sell your personal data.

4. International Transfers

We store your personal data within the European Economic Area (EEA). We do not bulk transfer customer data outside the European Economic Area.

The only time your data may be processed outside the European Economic Area is:

  • As outlined below in a listed sub-processor agreement
  • As outlined below as part of the duties of an international member of our team

We are EU based with an international team. In limited circumstances, members of our team located outside the EEA may need to temporarily access your personal data, for example to provide customer support or to resolve technical issues as per the purposes outlined above. Such access is regarded as an international transfer under the GDPR and is treated with appropriate care. These team members act directly under our authority and only access personal data when necessary for the performance of their duties. Such access may result in your personal data being viewed from outside the EEA.

Where this occurs, we ensure that appropriate safeguards are in place to protect your personal data, including:

  • Lawful mechanisms including European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions, confidentiality agreements and data processing agreements
  • Technical measures like encryption and limited access credentials.
  • Organisational security measures including team training and need to know (data sharing minimisation) policy

5. Listed Sub Processors

5.1 Stripe

We use Stripe (Stripe Payments Europe Limited and affiliated entities) to handle payment processing. Stripe acts as a sub-processor under Stripe's Data Processing Agreement, which incorporates a Data Transfers Addendum that governs how data may be moved across borders.
You can find Stripe's data governance policies here: https://stripe.com/de/legal/

Stripe may, in certain circumstances (for example when needed for fraud prevention, cross-affiliate operations, or other services), transfer personal data outside the EEA. When it does, Stripe ensures appropriate safeguards are in place (such as SCCs or other legally recognized protections) in accordance with applicable law.

5.2 Cloudflare

We use Cloudflare (Cloudflare Germany GmbH) to provide technical services including content distribution, abuse detection and bot detection (Cloudflare Turnstile)

You can find Cloudflares privacy policy here https://www.cloudflare.com/privacypolicy/ and addendum for Turnstile here https://www.cloudflare.com/turnstile-privacy-policy/

Cloudflare may transfer personal data outside the EEA to the United States. When cloudflare does this they rely on their certification under the EU-US data privacy framework.

5.3 Brevo

We use Brevo (Sendinblue Germany (GmbH)) to manage mailing lists.

You can find Brevos privacy policy here: https://www.brevo.com/legal/privacypolicy/.
Brevo may transfer personal data outside the EEA. Brevo ensures an adequate level of protection of this data through appropriate safeguards and messages.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes we collected it for.

  • Message Data: By default all messages are moved to trash 30 days after they are received, and deleted 30 days after that. During the beta messages may be retained for longer.
  • Account Data: Retained for the duration of your account life. You can cancel your account at any time. Account data is then automatically deleted 30 days after any remaining paid up usage expires. .
  • Normal technical retention of personal data: Data may be temporarily retained in order to facilitate normal usage of the service (e.g. IP address to serve requests from your browser, session ID to facilitate repeated login requests). Whilst most data of this type is cleared within hours, the maximum retention period is 30 days.
  • Exceptional technical retention of personal data: Data may be temporarily retained as needed in order to diagnose defects or performance issues with our service (logging). This data is deleted or anonymised when the issue is resolved, this generally occurs within 7 days.
  • Data retained to prevent abuse: Data may be retained indefinitely when required to prevent abuse, e.g. known fraudulent payment details.
  • Data we are legally required to retain: We retain certain necessary records for as long as legally required e.g., tax-relevant purchase records must be kept for a minimum of 10 years.

We may retain anonymised or aggregated data indefinitely, as this data does not identify individual users.

7. Your Data Protection Rights

Under GDPR, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data we hold about you.
  • Erase your data (the "right to be forgotten").
  • Restrict or object to our processing of your data.
  • Data portability.
  • Withdraw consent where we rely on it (though we primarily rely on other bases).

You can exercise these rights by contacting us at privacy@id.garden. You also have the right to lodge a complaint with your local Data Protection Authority (DPA).

8. Contact Us

For any questions about this Privacy Policy or your data, please contact our Data Protection Officer (DPO) at:
ID Garden, represented by Defora Networks GmbH
Wallstr. 9, 10179 Berlin, Germany
privacy@id.garden

Legal & Cookies
View Privacy Policy
View Terms and Conditions

Credits

Cookies

The web app part of our site uses functional cookies for authentication, remembering your preferences and otherwise enabling your use of the app. No third party or tracking cookies are used on our site.

Impressum


  • Name of website owner: Defora Networks GmbH
  • Address: Wallstr. 9, 10179 Berlin, Germany
  • Contact: info@defora.net, +49 (0)1556-333672-3
  • Geschäftsführer: Pierre Pronchery
  • Registered in Berlin Charlottenburg HRB: 205522 B