SankeyArt Privacy Policy

This Privacy Policy describes how your Personal Information is collected, used, and shared when you use our Services, including our website, web-based diagram editor, and add-ins for platforms such as Microsoft Excel, PowerPoint, and Power BI (collectively, the "Services").

1. Identity and contact

We are:

  • SankeyArt GmbH
  • Fahrenheitstraße 1
  • 28209 Bremen
  • Germany

If you have questions, or if you would like to make a complaint, please contact us by email at [email protected].

2. Personal Information we collect

When you use our Services, we collect the following types of Personal Information:

  • - Account Information: When you create an account, we collect your name, email address, and any other information you voluntarily provide.
  • - Payment Information: If you purchase a subscription, we collect billing details such as your payment method, billing address, and transaction details. Payment processing is handled by third-party providers (e.g., Stripe).
  • - Device Information: Automatically collected data about your device, including your web browser, IP address, time zone, and cookies installed on your device.
  • - Professional Information: We may collect and infer additional professional details about you, such as job title, industry, and company size, using your name and organization information through third-party IT services that access publicly available information.
  • - Usage and Analytics Information: We collect data about how you interact with our Services, including page views, clicks, and error reports to improve our Services and troubleshoot issues.

When we talk about "Personal Information" in this Privacy Policy, we are referring to Account Information, Payment Information, Device Information, Professional Information, and Usage and Analytics Information.

3. How do we use your Personal Information?

3.1 Purposes and Legal Basis

We use the information we collect for the following purposes, with the corresponding lawful basis under GDPR:

  • - Provide and maintain the Services, including both free and paid features. Lawful basis: Contract performance (Article 6(1)(b) GDPR).
  • - Process subscription payments and manage billing. Lawful basis: Contract performance (Article 6(1)(b) GDPR).
  • - Communicate with you about your account and service updates. Lawful basis: Contract performance (Article 6(1)(b) GDPR).
  • - Send you promotional offers and marketing communications in line with your preferences. Lawful basis: Consent (Article 6(1)(a) GDPR).
  • - Improve and optimize the Services by analyzing user behavior and feedback. Lawful basis: Legitimate interest (Article 6(1)(f) GDPR) - our interest in improving our services.
  • - Detect and prevent fraud or unauthorized access. Lawful basis: Legitimate interest (Article 6(1)(f) GDPR) - our interest in protecting our services and users.
  • - Track errors and monitor system performance. Lawful basis: Legitimate interest (Article 6(1)(f) GDPR) - our interest in maintaining service quality.
  • - Deliver targeted advertising and measure advertising effectiveness. Lawful basis: Consent (Article 6(1)(a) GDPR).

3.2 Children's Privacy

Our Services are not directed to children under the age of 13, and we request that they do not provide Personal Information to us. In certain jurisdictions, including under the EU General Data Protection Regulation (GDPR), higher age limits may apply (typically between 13 and 16 years, depending on local law). We do not knowingly collect Personal Information from children under the applicable minimum age. We do not actively verify the age of our users, but if we learn that we have inadvertently collected Personal Information from a child under the applicable minimum age, we will delete such information promptly.

4. Sharing your Personal Information

We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Stripe to handle payments. You can read more about how Stripe uses your Personal Information here: https://stripe.com/en-de/privacy.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful request for information we receive, or to otherwise protect our rights.

5. Do not track

Please note that we do not alter our Services' data collection and use practices when we see a Do Not Track signal from your browser.

6. Your rights

If you are located in the European Economic Area (EEA), you have the following rights regarding your Personal Information under the GDPR:

  • - Right of Access (Article 15): You have the right to request access to Personal Information we hold about you and receive a copy of that information.
  • - Right to Rectification (Article 16): You have the right to ask that your Personal Information be corrected if it is inaccurate or incomplete.
  • - Right to Erasure (Article 17): You have the right to request deletion of your Personal Information in certain circumstances.
  • - Right to Restriction of Processing (Article 18): You have the right to request that we limit the processing of your Personal Information in certain circumstances.
  • - Right to Data Portability (Article 20): You have the right to receive your Personal Information in a structured, commonly used format and to transmit it to another controller.
  • - Right to Object (Article 21): You have the right to object to processing of your Personal Information based on legitimate interests or for direct marketing purposes.
  • - Rights Related to Automated Decision-making (Article 22): You have the right not to be subject to automated decision-making, including profiling, that produces legal effects or significantly affects you. Currently, we do not engage in automated decision-making that would trigger these rights.
  • - Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, though this may be extended by two additional months in complex cases.

Additionally, if you are located in the EEA we note that we are processing your information in order to fulfill contracts we might have with you (for example, if you purchase a subscription and use our paid Services), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of the European Economic Area (EEA), including to Canada and the United States. If your Personal Information is transferred outside the EEA, we apply the same retention criteria and safeguards.

If you are a resident of California or another jurisdiction with specific privacy rights, you may have additional rights under applicable law.

7. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your Personal Information violates the GDPR. As we are based in Bremen, Germany, you can contact the Bremen state data protection authority:

Die Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen
Arndtstraße 1
27570 Bremerhaven
Germany
Phone: +49 471 596-2010
Email: [email protected]
Website: https://www.datenschutz.bremen.de

You may also contact the data protection authority in your country of residence or where you believe the violation occurred.

8. Data retention

We retain your Personal Information for different periods depending on the type of data and legal requirements:

  • - Account Information: Kept for the life of your account and deleted upon your request to close the account, unless retention is required by law.
  • - Payment Information: Retained for as long as legally necessary to comply with tax, accounting, and other regulatory obligations.
  • - Device Information, Usage and Analytics Information: Retained as long as necessary to operate, improve, and understand usage of our Services. These data sets are reviewed at least annually, and any data no longer needed is deleted or anonymized.
  • - Professional Information: Kept for the life of your account and deleted upon request, unless retention is required by law.

In all cases, we apply the principle of data minimization and periodically assess whether continued retention of your information is necessary. Once the relevant retention period expires or the data is no longer needed, we will delete or anonymize it in accordance with applicable laws.

You may request deletion of your Personal Information at any time by contacting us at [email protected]. In such cases, we will delete your data unless retention is required by law or necessary for legitimate business purposes.

9. Data connections

When you use our Services, connections to third-party domains may be established for the following purposes:

  • - Payment processing services
  • - Content delivery networks for static assets
  • - AI services for content generation and analysis
  • - Analytics and error tracking services
  • - Advertising and marketing platforms

10. Changes

We may update this Privacy Policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal, or regulatory reasons.

Last updated: October 3, 2025