Privacy Policy

1. General Information and Principles of Data Processing

We are pleased that you are visiting our website. Protecting your privacy and your personal data — known as personal information — when you use our website is a matter of great importance to us.

According to Article 4(1) of the GDPR, personal data refers to any information relating to an identified or identifiable natural person. This includes, for example, information such as your first and last name, your address, your phone number, your e-mail address, and your IP address.

Data for which no connection to your person can be established — such as through anonymization — is not considered personal data. Processing (e.g., collection, storage, retrieval, consultation, use, disclosure, erasure, or destruction) pursuant to Article 4(2) of the GDPR always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose of the processing has been achieved and there are no longer any legally required retention obligations to be observed.

Here you will find information about how we handle your personal data when you visit our website. In order to provide the functions and services of our website, it is necessary for us to collect personal data about you. We also explain to you the nature and scope of the respective data processing, the purpose and the corresponding legal basis, and the respective retention period.

This Privacy Policy applies only to this website. It does not apply to other websites to which we merely link via a hyperlink. We cannot assume any responsibility for the confidential handling of your personal data on these third-party websites, as we have no influence over whether these companies comply with data protection regulations. Please refer directly to these websites for information regarding how these companies handle your personal data.

2. Data Controller

The controller responsible for the processing of personal data on this website is:

Müller Fullstack Engineering GmbH
represented by Managing Director Stefan Müller
Pappelallee 78/79
10437 Berlin
Germany
Phone: +49 176 80314089
E-mail: contact@velaatlas.com

3. Provision and Use of the Website / Server Log Files

a) Nature and scope of data processing

When you use this website without otherwise transmitting data to us (e.g., through registration), we collect technically necessary data via server log files that are automatically transmitted to our server, including:

IP address
Date and time of the request
Name and URL of the file accessed
Website from which access is made (referrer URL)
Access status / HTTP status code
Browser type
Language and version of the browser software
Operating system

b) Purpose and Legal Basis

This processing is technically necessary to display our website to you. We also use the data to ensure the security and stability of our website. The legal basis for this processing is Art. 6(1)(f) of the GDPR. The processing of the aforementioned data is necessary for the provision of a website and thus serves to safeguard the legitimate interest of our company.

c) Retention period

As soon as the aforementioned personal data is no longer required to display the website, it will be deleted; this usually occurs within 90 days. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, the user has no right to object to this aspect. Further storage may occur in individual cases if required by law.

Hosting by IONOS

The website is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (hereinafter „IONOS»). IONOS provides the server capacity and handles the technical administration of the website.

As part of the hosting service, IONOS processes the personal data of website visitors on our behalf and in accordance with our instructions. Processing takes place exclusively in data centers within the European Union.

We have entered into a data processing agreement with IONOS in accordance with Article 28 of the GDPR to ensure that your data is processed in compliance with European data protection regulations.

The following data is processed as part of the hosting service:

IP addresses of website visitors
Date and time of access
Pages and files accessed
Amount of data transferred
Notifications of successful requests
Browser type and version
User’s operating system
Referrer URL (the previously visited page)

The data is processed for the following purposes: ensuring a smooth connection to the website, ensuring a comfortable user experience on our website, evaluating system security and stability, and administrative purposes.

The legal basis for processing the data is Article 6(1)(f) of the GDPR. Our legitimate interest arises from the aforementioned purposes for data collection. For more information on data processing and data protection at IONOS, please visit: https://www.ionos.de/terms-gtc/terms-privacy

4. Use of Cookies

a) Nature, scope, and purpose of data processing

We use cookies. Cookies are small files that we send to the browser on your device during your visit to our website and that are stored there.

Some features of our website cannot be provided without the use of technically necessary cookies. Other cookies, however, enable us to perform various analyses. For example, some cookies can recognize the browser you are using when you visit our website again and transmit various information to us. We use cookies to facilitate and improve the use of our website. If third parties process information via cookies, they collect this information directly through your browser. However, cookies do not cause any damage to your device. They cannot execute programs and do not contain viruses.

Temporary Cookies / Session Cookies

Our website uses so-called temporary cookies, or session cookies, which are automatically deleted as soon as you close your browser. These cookies allow us to record your session ID. This enables us to associate various requests from your browser with a single session and to recognize your device during subsequent visits to the website.

Persistent Cookies

Our website uses so-called persistent cookies. Persistent cookies are cookies that are stored in your browser for an extended period of time and can transmit information. The storage duration varies depending on the cookie. You can delete persistent cookies yourself via your browser settings.

Configuring browser settings

Most web browsers are set by default to automatically accept cookies. However, you can configure your browser to accept only certain cookies or none at all. Please note, however, that you may then no longer be able to use all features of our website. You can also use your browser settings to delete cookies already stored in your browser. Furthermore, it is possible to set your browser to notify you before cookies are stored. Since different browsers may function differently, we ask that you consult your browser’s help menu for the relevant configuration options.

b) Legal Basis

Based on the purposes described, the legal basis for the processing of personal data using cookies is Article 6(1)(f) of the GDPR. If you have given us your consent to the use of cookies based on a notice provided by us on the website („cookie banner»), the legal basis is additionally Article 6(1)(a) of the GDPR.

c) Retention period

As soon as the data transmitted to us via cookies is no longer required for the purposes described above, this information will be deleted. Further storage may occur in individual cases if required by law.

5. Data collection for the implementation of pre-contractual measures and for contract performance

a) Nature and scope of data processing

We collect personal data about you during the pre-contractual phase and upon conclusion of the contract. This includes, for example, your first and last name, address, e-mail address, phone number, or bank details.

b) Purpose and legal basis

We collect and process this data exclusively for the purpose of contract performance or to fulfill pre-contractual obligations. The legal basis for this is Article 6(1)(b) of the GDPR. If you have also given your consent, the additional legal basis is Article 6(1)(a) of the GDPR.

c) Retention period

The data will be deleted as soon as it is no longer necessary for the purpose of its processing. In addition, statutory retention obligations may apply, such as commercial or tax law retention obligations under the German Commercial Code (HGB) or the German Fiscal Code (AO). If such retention obligations exist, we will block or delete your data upon the expiration of these retention obligations.

6. Configurator

On our website, we offer a configurator that allows the Customer to individually configure products. As part of this process, personal data is collected, processed, and used. This data includes, in particular:

the selection of the cloud provider (GCP or AWS)
optional components (frontend, DB, config server)
migration tool
stages
repository structure
branching
and the number of services

The processing of personal data is carried out for the purpose of providing and customizing our services in accordance with the Customer’s specifications. To this end, it is necessary to store and process the data entered by the Customer in order to create the desired configuration and deliver the corresponding products.

The legal basis for the processing of personal data is Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract to which the Customer is a party, or for the implementation of pre-contractual measures taken at the Customer’s request.

Personal data will only be disclosed to third parties if this is necessary to fulfill the contract, the Customer has expressly consented, or we are legally obligated to do so. Third parties in this context may include, in particular, cloud service providers necessary for the provision of the desired configuration.

6a. Shared Configurations (Share Link)

Within the Vela Atlas configurator, you have the option of sharing a selection you have made with third parties via a generated link (e.g. for internal coordination within the orderer’s company).

a) Nature and scope of the data processing

When you click «Share configuration», we store the selection made in the configurator (e.g. selected cloud provider, frontend option, service names) under a randomly generated 12-character identifier in our database. Personal data (in particular name, e-mail address, postal address or payment data) are not stored in this context.

To prevent misuse (limit of a maximum of 30 generations per hour per IP address), your IP address is processed for a maximum of one hour in hashed form (MD5) as a mere counter value.

When a shared configuration link is opened, the identifier is read exclusively from the called web address. The identifier is not stored in the user’s browser (no cookies, no local storage, no session storage).

b) Purpose and legal basis

The purpose of the processing is to provide a technical convenience feature within the Vela Atlas configurator, with which a product configuration can be coordinated within the orderer’s company (e.g. between the technical architect and the procurement department), as well as the prevention of misuse of the feature.

We base this processing on Art. 6(1)(f) of the GDPR. Our legitimate interest lies in enabling buyers of the Vela Atlas configurator to coordinate a configuration internally within their team (e.g. between technical assessment and procurement), and in protecting the share function of the configurator against automated mass usage.

c) Storage period

The stored configuration selection is automatically deleted no later than 90 days after creation. The hashed IP counter values processed for misuse prevention are automatically deleted no later than one hour after creation.

d) Forwarding to third-party providers

Within the share dialog of the Vela Atlas configurator, buttons are available for forwarding to external services (e-mail program, WhatsApp, LinkedIn). A transmission to these services only takes place if you actively click the corresponding button and thereby trigger a forwarding to the respective provider. Once the forwarding has taken place, the respective provider processes the content sent by you from the Vela Atlas configurator according to its own data protection rules. We are not involved in this step and can neither view nor influence it.

7. Data Transfer

We will only disclose your personal data to third parties if:

You have given your explicit consent pursuant to Art. 6(1)(a) of the GDPR.
this is legally permissible and necessary under Article 6(1)(b) of the GDPR to fulfill a contractual relationship with you or to take steps prior to entering into a contract.
there is a legal obligation to disclose the data under Article 6(1)(c) of the GDPR. We are legally obligated to transfer data to government authorities, e.g., tax authorities, social security agencies, health insurance providers, regulatory agencies, and law enforcement agencies.
the disclosure is necessary under Article 6(1)(f) of the GDPR to safeguard legitimate business interests, as well as to assert, exercise, or defend legal claims, and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data.
in accordance with Article 28 of the GDPR, we engage external service providers, known as data processors, in the processing of your data, who are obligated to handle your data with due care.

When transferring data to external entities in third countries, i.e., outside the EU or the EEA, we ensure that these entities handle your personal data with the same care as within the EU or the EEA. We only transfer personal data to third countries where the EU Commission has confirmed an adequate level of protection or where we ensure the careful handling of personal data through contractual agreements or other suitable safeguards.

8. Data Transfer to GitHub Inc. (USA) — Build Process

When a software package is ordered, we transmit order details and technical configuration details of the Customer to GitHub, Inc. in order to create the ordered software repositories and the associated cloud infrastructure.

The recipient is GitHub, Inc., 88 Colin P Kelly Jr Street, San Francisco, CA 94107, USA.

Data transmitted

Contact and order details:

Company name or first and last name
E-mail address
Order ID
Order date
Order year

Technical configuration of the project:

App Name — freely selectable project name
GitHub Repository Owner — the Customer’s GitHub account name
Cloud platform selection (database, config_server, frontend — yes/no for each)
Deployment stages — e.g., „dev, staging, prod»
Backend service names — the service names assigned by the Customer
Branching strategy — yes/no
Repository structure — monorepo or split repos
Language for manual generation — de/en/es
Optional: Custom hostname, if a custom domain is used
„Upload to Git» option — yes/no
Migration tool — Liquibase or Flyway
Docker image URI — which builder version is used

Cloud provider credentials (transmitted encrypted):

If the Customer has chosen GCP as the cloud platform:

GCP Project ID
GCP Project Number
GCP project region
GCP Bootstrap Token — temporary access token for infrastructure setup

If the Customer has chosen AWS as the cloud platform:

AWS Account ID
AWS Region
AWS Bootstrap Token — temporary access token for infrastructure setup

GitHub credentials:

Customer’s GitHub Personal Access Token — used exclusively to create the ordered repositories in the Customer’s GitHub account

Internal build control (no personal data):

Callback URL — our endpoint to which GitHub reports the status upon build completion
Callback secret — one-time token for verifying the response

Purpose, legal basis, and protective measures

Purpose of the transfer: Creation of the ordered software repositories in the Customer’s GitHub account, as well as the automated setup of the associated cloud infrastructure via the GitHub Actions workflow.

The legal basis for data collection is Art. 6(1)(a) GDPR (consent) in conjunction with Art. 49(1)(a) GDPR (explicit consent to a transfer to a third country). Consent is actively granted during the ordering process by checking a mandatory consent checkbox. Without this consent, the ordered service cannot be provided — an order without consent is technically not possible.

The data is transferred to a server in the United States. GitHub is a member of the EU-US Data Privacy Framework. Additionally, a Data Protection Addendum (DPA) with EU Standard Contractual Clauses pursuant to Article 46(2)(c) of the GDPR has been established with GitHub.

Special handling of access tokens

Cloud provider bootstrap tokens (GCP/AWS) are used exclusively for one-time infrastructure setup and are discarded immediately after successful use. They are not stored in GitHub repositories. The GitHub Personal Access Token is used exclusively for repository creation and is discarded upon completion of the build process. All tokens are transmitted exclusively in encrypted form via HTTPS and GitHub Actions Secrets.

Retention period

On our end: Configuration data until the build process is complete, plus a 30-day error analysis window. Cloud tokens are deleted immediately after use.

At GitHub: Build logs in accordance with the GitHub Actions standard (typically 90 days, configurable). Repositories remain in the Customer’s GitHub account under their control.

The Customer may revoke their consent at any time with future effect — simply send a notification to contact@velaatlas.com. The revocation does not affect data transfers that have already been completed. Revoking consent after placing an order will prevent the build process from being executed.

Further information on the processing of data by GitHub can be found in their Privacy Policy: github-general-privacy-statement

A data processing agreement has been concluded with GitHub in accordance with Art. 28 GDPR in conjunction with standard contractual clauses for transfers to third countries.

As part of the ordered service, the generated software repositories are created directly in the Customer’s GitHub account, and the associated cloud infrastructure is set up in their AWS or GCP account. For this purpose, we use the access tokens provided by the Customer in the order form (GitHub Personal Access Token, Cloud Bootstrap Token) exclusively on a one-time basis for creation and discard them immediately after successful setup. The Customer remains the controller within the meaning of the GDPR for the repositories stored in their GitHub account and the infrastructure set up in their cloud account (AWS, GCP).

The relationship between the Customer and GitHub, Amazon Web Services, or Google Cloud Platform is governed by their respective privacy policies and terms of service; consent to us is not required for this, as the resources are located in the Customer’s own account and under the Customer’s own control.

The legal basis for this is Art. 6(1)(b) GDPR (performance of a contract). The provision of the tokens by the Customer in the order form is deemed to be an implied authorization for the one-time infrastructure setup on their behalf.

Further information from the third-party providers:

GitHub: github-general-privacy-statement
Amazon Web Services: aws.amazon.com/de/privacy
Google Cloud Platform: cloud.google.com/terms/cloud-privacy-notice

9. Contact Options via E-mail

Our website offers you the option to contact us via e-mail.

a) Nature and scope of data processing

You can contact us via e-mail. Our data collection is limited to the e-mail address of the e-mail account you use to contact us, as well as any personal data you voluntarily provide when contacting us.

b) Purpose and legal basis

The purpose of data processing is to enable us to respond appropriately to your inquiry. The legal basis for this is Article 6(1)(f) of the GDPR. There is a legitimate interest in processing the aforementioned personal data in order to handle your inquiry appropriately.

c) Retention period

The duration of storage of the aforementioned data depends on the reason for your contact. Your personal data is regularly deleted once the purpose of the communication no longer applies and storage is no longer necessary. This may result, for example, from the resolution of your inquiry.

10. Validation of the VAT Identification Number (VAT ID No.)

As part of our business relationships and to fulfill our contractual obligations, we reserve the right to validate our customers’ VAT identification numbers (VAT ID). This validation is performed in real-time via the European Commission’s VAT Information Exchange System (VIES).

In this process, the Customer’s VAT ID No. is transmitted to the European Commission (VIES) to verify the validity of the VAT ID No. This processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR, as it is necessary to ensure the correct recording and billing of VAT.

The data transmitted consists exclusively of the Customer’s VAT ID number. No other personal data is transmitted to the European Commission in this context.

11. E-mail Delivery via IONOS

As part of our business processes, we send all transactional e-mails — such as order confirmations, links to the order data form, build status notifications, and download links — via the e-mail service of our hosting provider IONOS SE. IONOS also handles the outbound delivery of our transactional e-mails.

As part of the e-mail sending process, the sender’s and recipient’s e-mail addresses, the subject line, the content of the e-mail, and the timestamp are processed.

Processing is based on Art. 6(1)(b) GDPR (performance of a contract) for the sending of transactional e-mails. Additionally, e-mail sending is logged based on Art. 6(1)(f) GDPR (legitimate interest) to ensure the security and traceability of our communication processes.

Data processing takes place exclusively in IONOS data centers within the European Union, thereby ensuring compliance with European data protection standards. We have a data processing agreement with IONOS in accordance with Art. 28 GDPR that also covers the e-mail service.

12. Tracking and Analytics Tools and Services Used

The following services, plugins, and tracking technologies are used on our website:

Lexware Office (Haufe-Lexware GmbH & Co. KG)

We use the Lexware Office software, a product of Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany (hereinafter „Lexware»). We use Lexware Office for invoicing and ZM export (recapitulative statement). The integration is implemented via an API in our own plugin, transferring order and invoice data directly to Lexware Office.

In the course of using Lexware Office, personal data of customers is processed. The processed data includes, in particular, master data (such as company, name, address, e-mail address, VAT ID), invoice data (line items, amounts, tax rates), and payment and transaction data. This data is processed on Lexware Office servers in Germany.

The legal basis for processing is Art. 6(1)(b) GDPR (performance of a contract) as well as Art. 6(1)(c) GDPR (legal obligation, in particular commercial and tax retention and reporting obligations).

A data processing agreement with Lexware Office pursuant to Art. 28 GDPR is in place. For more information on data processing by Lexware Office, please refer to: lexoffice.de/datenschutz

Real Cookie Banner (devowl.io)

Our website uses the Real Cookie Banner plugin, which is operated by devowl.io GmbH, Tannet 12, 94539 Grafling, Germany. Real Cookie Banner enables us to obtain and manage consent for the use of cookies and other tracking technologies on our website in compliance with the law.

In connection with the use of Real Cookie Banner, users’ personal data is collected, processed, and used. This data includes, in particular:

User’s consent status (Yes/No)
Time of consent
User ID
IP address (in anonymized form)

The processing of personal data is carried out for the purpose of fulfilling our legal obligations pursuant to Art. 6(1)(c) of the GDPR, in particular to comply with the requirements of the General Data Protection Regulation (GDPR) and the German Telemedia Act (TMG) regarding the collection of consent for the use of cookies.

Further information on data collection can be found in the privacy policy at: devowl.io/de/datenschutzerklaerung

Stripe

We offer the option to complete the payment process through the payment service provider Stripe Payments. When paying via Stripe, we share the information you provided during the ordering process, along with details about your order (name, address, account number, bank routing number, credit card number if applicable, invoice amount, currency, and transaction number), in accordance with Article 6(1)(b) of the GDPR. Your data is transferred exclusively for the purpose of payment processing with the payment service provider Stripe Payments and only to the extent necessary for this purpose.

Further information about the payment service provider Stripe in Europe: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Central Dock, Dublin, D02 H210, Ireland. Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

For more information on Stripe’s privacy policy, please visit: stripe.com/de/privacy

WordPress

We use the open-source software WordPress on our website, which is developed and provided by the WordPress Foundation. WordPress is a content management system (CMS) that allows us to create and manage our website. We use a self-hosted setup hosted on the servers of our hosting provider IONOS in Germany.

The data collected in connection with the use of WordPress (such as the pages you visit, the duration of your visit, the IP address, the time of access, and the plugins and widgets used) is processed exclusively on our IONOS servers in Germany. This processing is already covered in Section 3 (Server Log Files / IONOS Hosting) and is based on the legitimate interest pursuant to Art. 6(1)(f) GDPR.

No data is transferred to Automattic, Inc., the operator of the hosted service wordpress.com, in our setup. Akismet, Jetpack, or Gravatar are not active here.

WooCommerce

Our website uses WooCommerce, an e-commerce plugin developed by Automattic, Inc. WooCommerce enables us to create and manage our online store, including order processing and product management.

In connection with the use of WooCommerce, customers’ personal data is collected, processed, and used. This data includes, in particular:

Name and address
E-mail address
Phone number
Payment information
Order details

Personal data is processed for the purpose of processing orders, delivering products and services, and handling payments. The legal basis for processing personal data is Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract to which the Customer is a party.

Actual, minimal data flows to Automattic occur solely via automatic plugin update calls from WooCommerce to woocommerce.com (IP address + version information). These are necessary to ensure the functionality and security of the plugin and are based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR.

In all other respects, Automattic’s privacy policy applies at: automattic.com/privacy

13. Data Security and Security Measures

We are committed to protecting your privacy and treating your personal data confidentially. To this end, we implement comprehensive technical and organizational security measures, which are regularly reviewed and adapted to technological advancements.

This includes, among other things, the use of recognized encryption methods (SSL or TLS). However, data disclosed in unencrypted form, for example via unencrypted e-mail, may be read by third parties. We have no control over this. It is the responsibility of the respective users to protect the data they provide against misuse through encryption or other means.

14. Changes to the Privacy Policy

We reserve the right to update this policy at any time as necessary.

15. Your Rights

Here you will find your rights regarding your personal data. Details are set forth in Articles 7, 15–22, and 77 of the GDPR. You may contact the controller (Section 2) regarding this matter.

Right to withdraw your consent under data protection law pursuant to Art. 7(3)(1) GDPR

You may withdraw your consent to the processing of your personal data at any time with future effect. However, this does not affect the lawfulness of the processing carried out prior to the withdrawal.

Right of access under Article 15 of the GDPR

You have the right to request confirmation as to whether we process personal data concerning you. If this is the case, you have the right to access this personal data as well as to further information, e.g., the purposes of processing, the categories of personal data processed, the recipients, and the planned duration of storage or the criteria for determining the duration.

Right to rectification and completion under Article 16 of the GDPR

You have the right to request the immediate rectification of inaccurate data. Considering the purposes of the processing, you have the right to request the completion of incomplete data.

Right to erasure („right to be forgotten») under Article 17 of the GDPR

You have the right to erasure provided that the processing is not necessary. This is the case, for example, if your data is no longer necessary for the original purposes, you have withdrawn your consent under data protection law, or the data has been processed unlawfully.

Right to restriction of processing under Article 18 of the GDPR

You have the right to restrict processing, e.g., if you believe personal data is inaccurate.

Right to data portability under Article 20 of the GDPR

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format.

Right to object under Article 21 of the GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of certain personal data concerning you. In the case of direct marketing, you, as the data subject, have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

Automated decision-making in individual cases, including profiling, pursuant to Article 22 of the GDPR

You have the right not to be subject to a decision based solely on automated processing, including profiling — except in the exceptional cases mentioned in Article 22 of the GDPR. Decision-making based solely on automated processing, including profiling, does not take place.

Filing a complaint with a data protection supervisory authority under Article 77 of the GDPR

In addition, you may lodge a complaint with a data protection supervisory authority at any time, for example if you believe that the processing of your data does not comply with data protection regulations.

As of: 12.05.2026