Privacy Policy / Datenschutzerklärung

§ 1 — Identity and Contact Details of the Controller

1.1. The Controller within the meaning of Article 4(7) GDPR is:

1.2. The Controller has not appointed a Data Protection Officer pursuant to Article 37 GDPR, as the conditions set forth in Article 37(1)(b) and (c) GDPR and § 38 BDSG are not met. For all data protection inquiries, the Controller may be contacted directly at the email address stated above.

§ 2 — Categories of Personal Data Processed

2.1. In the course of providing our services and operating the Platform, we collect and process the following categories of personal data:

2.1.1. Data Provided Directly by the Data Subject

• Email address — provided by the Client for the purpose of order communication and delivery of the Deliverable. We explicitly encourage the use of anonymous or pseudonymous email addresses and do not require the provision of a real name or institutional email.
• Order details — thesis topic, academic level (Bachelor/Master), specific requirements, and any additional instructions provided by the Client in connection with an Order.

2.1.2. Data Collected Automatically

• Server log data — IP address (anonymized), browser type and version, operating system, referrer URL, date and time of access, pages visited, and data volume transferred. This data is collected automatically by our web hosting infrastructure for the purposes of ensuring system security and stability.
• Cookie data — as described in detail in § 8 of this Policy.

2.1.3. Data Processed by Third-Party Processors

• Payment data — payment card number, expiration date, CVC, billing address, and transaction metadata are collected and processed exclusively by Stripe, Inc. (hereinafter “Stripe”) as an independent payment processor. The Controller does not receive, access, process, or store payment card data at any time. Stripe acts as a joint controller or independent controller (as applicable) for such data processing activities.
• Analytics data — anonymized usage data collected through Google Analytics (operated by Google Ireland Limited), including pages visited, session duration, bounce rate, and approximate geographic location (country/city level), processed only upon the Data Subject's prior consent.

2.2. We expressly do not collect the following categories of data: full legal names, postal addresses (unless required for invoicing), telephone numbers, dates of birth, university or institutional affiliations, student identification numbers, government-issued identification numbers, or any special categories of personal data within the meaning of Article 9 GDPR.

§ 3 — Purposes of Processing and Legal Bases

3.1. We process personal data exclusively for the purposes set forth below, each linked to the applicable legal basis under Article 6(1) GDPR:

3.2. Where processing is based on the legitimate interests of the Controller pursuant to Article 6(1)(f) GDPR, the Controller has conducted a balancing test and has determined that its legitimate interests are not overridden by the interests, fundamental rights, or fundamental freedoms of the Data Subject.

§ 4 — Recipients and Third-Party Data Sharing

4.1. Personal data is shared with the following categories of recipients, solely to the extent necessary for the purposes specified in § 3:

• Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) — for payment processing. Stripe is certified under the EU-US Data Privacy Framework. Stripe's privacy policy is available at stripe.com/privacy. Data transfers to the United States are safeguarded pursuant to Article 45 GDPR (adequacy decision) and, as a fallback, Article 46(2)(c) GDPR (Standard Contractual Clauses).
• Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) — for website analytics via Google Analytics 4. IP anonymization is enabled by default. Data may be transferred to Google LLC in the United States, safeguarded by the EU-US Data Privacy Framework and Standard Contractual Clauses. Google's privacy policy is available at policies.google.com/privacy.
• Hosting provider — our web hosting provider processes server log data as a data processor within the meaning of Article 28 GDPR. A Data Processing Agreement (Auftragsverarbeitungsvertrag, “AVV”) has been concluded with the hosting provider in accordance with Article 28(3) GDPR.

4.2. Beyond the recipients listed above, personal data is not disclosed, sold, rented, or otherwise made available to any third parties, unless: (a) the Data Subject has given explicit consent; (b) disclosure is required by applicable law, regulation, or order of a competent court or governmental authority; or (c) disclosure is necessary for the establishment, exercise, or defense of legal claims.

§ 5 — International Data Transfers

5.1. Where personal data is transferred to recipients in countries outside the European Economic Area (“EEA”) that have not been recognized by the European Commission as providing an adequate level of data protection pursuant to Article 45 GDPR, such transfers are safeguarded by appropriate safeguards within the meaning of Article 46 GDPR, including:

• Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914);
• Certification under the EU-US Data Privacy Framework pursuant to Commission Implementing Decision C(2023) 4745 of 10 July 2023;
• Binding Corporate Rules pursuant to Article 47 GDPR, where applicable.

5.2. The Data Subject may obtain a copy of the applicable safeguards by contacting the Controller at contact@morphica.de.

§ 6 — Data Retention Periods

6.1. Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable legal retention obligations. The following retention periods apply:

• Order and transaction data: Ten (10) years from the end of the calendar year in which the transaction occurred, in compliance with §§ 147(1) No. 1 and 4 of the German Fiscal Code (Abgabenordnung, “AO”) and § 257(1) Nos. 1 and 4 of the German Commercial Code (Handelsgesetzbuch, “HGB”).
• Email addresses used solely for order delivery: Retained for the duration of the contractual relationship plus the applicable statutory retention period. Deletion upon request is possible for email addresses not linked to retained transaction data.
• Server log data: Automatically deleted after fourteen (14) calendar days, unless longer retention is required for the investigation of security incidents.
• Analytics data (Google Analytics): Retained in accordance with Google's data retention settings, currently configured to twenty-six (26) months.
• Consent records: Retained for the duration of the consent plus three (3) years following withdrawal or expiration, in order to demonstrate compliance with Article 7(1) GDPR.

6.2. Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized in accordance with Article 17 GDPR and applicable technical standards.

§ 7 — Rights of the Data Subject

7.1. The Data Subject has the following rights under the GDPR, which may be exercised at any time by contacting the Controller at contact@morphica.de:

• Right of Access (Article 15 GDPR): The Data Subject has the right to obtain confirmation as to whether personal data concerning them is being processed and, where that is the case, to access the personal data and receive information about the purposes of processing, the categories of data concerned, the recipients, the retention period, and the existence of the rights described herein.
• Right to Rectification (Article 16 GDPR): The Data Subject has the right to obtain the rectification of inaccurate personal data and the completion of incomplete personal data.
• Right to Erasure (Article 17 GDPR): The Data Subject has the right to obtain the erasure of personal data without undue delay where one of the grounds set forth in Article 17(1) GDPR applies, unless processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
• Right to Restriction of Processing (Article 18 GDPR): The Data Subject has the right to obtain restriction of processing where: the accuracy of the data is contested; the processing is unlawful; the Controller no longer needs the data; or the Data Subject has objected to processing pursuant to Article 21(1) GDPR.
• Right to Data Portability (Article 20 GDPR): The Data Subject has the right to receive their personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller without hindrance, where processing is based on consent or contract and is carried out by automated means.
• Right to Object (Article 21 GDPR): The Data Subject has the right to object, on grounds relating to their particular situation, to the processing of personal data based on Article 6(1)(f) GDPR. Upon receipt of such objection, the Controller shall cease processing unless it demonstrates compelling legitimate grounds that override the interests, rights, and freedoms of the Data Subject.
• Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent, the Data Subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR): The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. The Controller does not currently engage in automated individual decision-making or profiling as defined in Article 22 GDPR.

7.2. The Controller shall respond to requests exercising the above rights without undue delay and in any event within one (1) month of receipt of the request, pursuant to Article 12(3) GDPR. This period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests.

7.3. The Controller may request information necessary to confirm the identity of the Data Subject prior to processing the request, in accordance with Article 12(6) GDPR.

§ 8 — Cookies and Tracking Technologies

8.1. The Platform uses cookies and similar tracking technologies (collectively “Cookies”) in accordance with the TTDSG and the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC).

8.2. Cookies are classified as follows:

• Strictly Necessary Cookies (§ 25(2) No. 2 TTDSG): These Cookies are essential for the provision of the Platform's core functionality and do not require the Data Subject's consent. They include session cookies, CSRF protection tokens, and load balancing identifiers.
• Analytics Cookies: These Cookies are used for statistical analysis of website usage through Google Analytics 4. They are set only upon the Data Subject's prior, informed, and freely given consent pursuant to § 25(1) TTDSG and Article 6(1)(a) GDPR. Consent is obtained through a consent management mechanism presented upon the Data Subject's first visit to the Platform.

8.3. The Data Subject may manage Cookie preferences at any time through their browser settings or through the consent management mechanism on the Platform. The withdrawal of consent does not affect the lawfulness of Cookie-based processing carried out prior to the withdrawal.

§ 9 — Data Security

9.1. The Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in accordance with Article 32 GDPR. Such measures include, without limitation:

• Encryption of data in transit using TLS 1.2 or higher (HTTPS);
• Encryption of data at rest using industry-standard encryption algorithms;
• Access control mechanisms limiting access to personal data to authorized personnel only;
• Regular security assessments and vulnerability testing;
• Pseudonymization and data minimization in accordance with Article 25 GDPR (data protection by design and by default);
• Incident detection and response procedures.

§ 10 — Data Breach Notification

10.1. In the event of a personal data breach within the meaning of Article 4(12) GDPR, the Controller shall notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

10.2. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the breach to the affected Data Subjects without undue delay, in accordance with Article 34 GDPR, unless one of the conditions set forth in Article 34(3) GDPR applies.

§ 11 — Right to Lodge a Complaint

11.1. Without prejudice to any other administrative or judicial remedy, every Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the Data Subject considers that the processing of personal data relating to them infringes the GDPR, pursuant to Article 77 GDPR.

11.2. The competent supervisory authority for the Controller is:

§ 12 — Changes to This Policy

12.1. The Controller reserves the right to amend this Policy at any time to reflect changes in legal requirements, technological developments, or business practices. The amended Policy shall be published on the Platform with an updated effective date.

12.2. Where material changes affect the processing of personal data in a manner that requires renewed consent, the Controller shall obtain such consent before implementing the changes.

12.3. Data Subjects are encouraged to review this Policy periodically to remain informed about the Controller's data protection practices.