Privacy Policy

HR Improvement GmbH • paygood

As of: 27 April 2026

Part A – Website paygood.app

Applies to all visitors of the website

A1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Detailed information is provided in the sections below.

Who is responsible?

Data processing on this website is carried out by HR Improvement GmbH (contact details in section A3).

What rights do you have?

You have the right at any time to obtain information about, rectification or deletion of, and restriction of the processing of your stored personal data, as well as the right to data portability and to lodge a complaint with the competent supervisory authority.

Analytics and third-party tools

When you visit this website, your browsing behaviour may be statistically analysed. All analytics and marketing tools are used exclusively on the basis of your consent (§ 25 para. 1 TDDDG, Art. 6 para. 1 lit. a GDPR) granted via our cookie consent banner.

A2. Hosting and Infrastructure

Hetzner

Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Legal basis: Art. 6 para. 1 lit. f GDPR. DPA concluded. Privacy policy: https://www.hetzner.com/de/legal/privacy-policy/

Cloudflare

Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) is used as a CDN and for DDoS protection and Web Application Firewall. IP address and technical access data are processed. Legal basis: Art. 6 para. 1 lit. f GDPR. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). DPA concluded. Privacy policy: https://www.cloudflare.com/de-de/privacypolicy/

A3. General Mandatory Information

Controller

HR Improvement GmbH, Kurt Beckers, Fremersbergstraße 41, 76530 Baden-Baden, Germany Phone: +49 7221 9228806 – E-mail: [email protected] – Website: https://paygood.app

Retention Period

Personal data is deleted as soon as the purpose for processing ceases to apply, unless statutory retention obligations apply (e.g. 10 years pursuant to § 147 German Tax Code (AO), 6 years for business correspondence, 3 years standard limitation period pursuant to §§ 195, 199 German Civil Code (BGB)).

Legal Bases

We process personal data on the basis of Art. 6 para. 1 lit. a GDPR (consent), lit. b (performance of a contract), lit. c (legal obligation) and lit. f GDPR (legitimate interests). Where cookies are concerned, § 25 para. 1 TDDDG additionally applies.

Right to Object pursuant to Art. 21 GDPR

IF DATA PROCESSING IS BASED ON ART. 6 PARA. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING. IN THE CASE OF DIRECT MARKETING YOU MAY OBJECT AT ANY TIME WITHOUT GIVING REASONS (ART. 21 PARA. 2 GDPR).

Competent Supervisory Authority

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Prof. Dr. Tobias Keber, Lautenschlagerstraße 20, 70173 Stuttgart, Germany, [email protected], https://www.baden-wuerttemberg.datenschutz.de/

SSL/TLS Encryption

This site uses SSL/TLS encryption. An encrypted connection is indicated by the padlock symbol and „https://“ in your browser’s address bar.

A4. Data Collection on This Website

Cookies and Consent Management

Our website uses cookies. Technically necessary cookies are set on the basis of Art. 6 para. 1 lit. f GDPR. Analytics and marketing cookies are set exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG). You grant and manage your consent via our cookie consent banner; it may be withdrawn at any time.

Server Log Files

When pages are accessed, browser type, operating system, referrer URL, IP address and access time are automatically stored in server log files. Legal basis: Art. 6 para. 1 lit. f GDPR. Retention period: maximum 30 days.

Contact Form and E-Mail Contact

Data from contact enquiries is stored for processing purposes and is not passed on without consent. Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or lit. f GDPR. Deleted when the purpose ceases to apply, subject to statutory retention periods.

Blog

Our blog operates without a comment function and without a save function. No personal data of readers is stored beyond the general server log collection.

A5. Analytics and Advertising

Google Tag Manager

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Manages tag integration centrally. No independent tracking. Consent required (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG). DPF-certified. DPA concluded. Privacy policy: https://policies.google.com/privacy

Google Analytics 4

Google Ireland Limited. Pseudonymous user tracking; IP addresses of EU users are not stored. Consent required. Default retention: 14 months. Opt-out add-on: https://tools.google.com/dlpage/gaoptout. DPF-certified. DPA concluded.

Google Ads

Google Ireland Limited. Display of advertising and conversion measurement. Consent required. DPF-certified. DPA concluded. Opt-out: https://myadcenter.google.com/personalizationoff

Hotjar

Hotjar Ltd., Malta. Analysis of click and scrolling behaviour; IP addresses are anonymised. Consent required. Data stored on EU servers. DPA concluded. Opt-out: https://www.hotjar.com/legal/compliance/opt-out

A6. Plugins and Tools

YouTube

Google Ireland Limited. Embedded videos; when played, data is transmitted to YouTube servers. Consent required (§ 25 para. 1 TDDDG). DPF-certified (https://www.dataprivacyframework.gov/participant/5780). Privacy policy: https://policies.google.com/privacy

LinkedIn Insight Tag

LinkedIn Ireland Unlimited Company, Dublin 2, Ireland. Analysis of website visitors based on professional profile data, conversion measurement, retargeting. Consent required. DPF and standard contractual clauses. Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

A7. Newsletter and E-Mail

Newsletter via Brevo

Sendinblue GmbH (Brevo), Köpenicker Str. 126, 10179 Berlin, Germany. Newsletter dispatch based on your consent (Art. 6 para. 1 lit. a GDPR), double opt-in procedure. Unsubscribe at any time via the link in the newsletter. DPA concluded. Privacy policy: https://www.brevo.com/de/datenschutzerklaerung/

Payment Processing: Novalnet

Novalnet AG, Feringastr. 4, 85774 Unterföhring, Germany. Processing of payments on the website. Data transmitted: name, address, e-mail, IP address, bank details. Legal basis: Art. 6 para. 1 lit. b GDPR. DPA concluded.

HubSpot CRM

HubSpot Ireland Limited, Dublin 1, Ireland. Management of prospect and customer contacts. Legal basis: Art. 6 para. 1 lit. b and lit. f GDPR. DPF-certified. DPA concluded. Privacy policy: https://legal.hubspot.com/de/privacy-policy

Part B – paygood Employee App

Applies to employees as users of the paygood app

B1. Controller

HR Improvement GmbH, Kurt Beckers, Fremersbergstraße 41, 76530 Baden-Baden, Germany Phone: +49 7221 9228806 – E-mail: [email protected]

B2. What data do we process about you?

B2.1 Master data (entered by your employer)

The following data is recorded in the system. Fields marked with * are mandatory and required for use:

•       Company *

•       First name and last name *

•       E-mail address *

•       Employee number *

•       IBAN of your bank account (for payments)

•       Position (optional)

•       Phone number (optional)

•       Start date / end date of employment (optional)

 

B2.2 Payroll and working time data (entered by your employer)

•       Hourly wage or monthly salary (mandatory depending on remuneration model)

•       Working hours per day (optional)

•       One-off allowances in the current month (e.g. shift supplements, bonuses)

•       One-off allowances spanning month-end (e.g. expenses, travel costs) – these remain in the system until fully processed

 

B2.3 Transaction data

•       All transfers (advance payments, disbursements of one-off allowances)

•       Time, amount and status of each transaction

•       Recipient IBAN

Transaction data is subject to statutory retention obligations and is stored permanently (retention period: 10 years pursuant to § 147 German Tax Code (AO), § 257 German Commercial Code (HGB)).

B2.4 Technical and usage data

•       Login times and frequency

•       IP address during app usage

•       Device information (operating system, app version)

•       Inactivity periods (basis for reminder notifications)

 

B3. Purposes and legal bases of processing

B3.1 Provision and operation of the app

Processing of master and payroll data to enable salary advances and disbursements of one-off allowances.

Legal bases: Art. 6 para. 1 lit. b GDPR (performance of a contract), § 26 para. 1 BDSG (German Federal Data Protection Act – employee data protection).

B3.2 Payment processing

To process payments, your master data and bank details are transmitted to payment service provider Novalnet AG (see B5.1). Legal basis: Art. 6 para. 1 lit. b GDPR.

B3.3 Payroll reports for your employer

Your employer can download transaction data as a report (CSV or XLS) for payroll processing. Legal bases: Art. 6 para. 1 lit. b GDPR, § 26 para. 1 BDSG.

B3.4 E-mail notifications

We send you the following e-mails via the Mailgun service:

•       Transaction confirmations (e.g. confirmation of a payment) – Legal basis: Art. 6 para. 1 lit. b GDPR.

•       Inactivity reminder after 30 days – Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in activating unused remuneration entitlements).

•       „New salary available“ notification (from €50 additional income) – Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

•       „New extra pay available“ notification (e.g. bonus, expenses) – Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

•       „New knowGood content available“ notification (financial literacy content) – Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

 

All optional notifications are enabled by default. You can deactivate individual notifications at any time in the app settings under „E-mail notifications“. Consent may be withdrawn at any time with effect for the future; the lawfulness of processing carried out prior to withdrawal is not affected.

B3.5 Technical operation and security

Ensuring proper operation of the platform, troubleshooting, fraud prevention. Legal basis: Art. 6 para. 1 lit. f GDPR.

B4. Retention periods

•       Master data and payroll data: for the duration of active use, then until expiry of statutory retention periods (6–10 years).

•       Transaction data: 10 years from the date of booking (§ 147 AO, § 257 HGB).

•       One-off allowances spanning month-end: until fully processed, then subject to statutory retention periods.

•       Technical usage data (log data, IP addresses): maximum 30 days.

•       Consent records for e-mail notifications: up to 3 years after withdrawal.

 

Upon your departure from the company or upon termination of the paygood contract by your employer, your active master data will be locked and deleted after expiry of the applicable statutory retention periods.

B5. Recipients and service providers

B5.1 Novalnet AG – Payment processing

Novalnet AG, Feringastr. 4, 85774 Unterföhring, Germany. Data transmitted: first name, last name, e-mail, IP address, IBAN, transaction amount and time. Purpose: identity verification, payment administration, fraud prevention. Legal basis: Art. 6 para. 1 lit. b GDPR. DPA concluded. Privacy policy: https://www.novalnet.de/datenschutzerklaerung

B5.2 Mailgun Technologies Inc. – E-mail delivery

Mailgun Technologies Inc. (Sinch group), 112 E Pecan St #1135, San Antonio, TX 78205, USA. Data processed: e-mail address, name, send time and status. Legal basis: Art. 6 para. 1 lit. b and lit. f GDPR. DPA concluded. Data transfers to the USA based on standard contractual clauses (Art. 46 GDPR). Privacy policy: https://www.mailgun.com/de/rechtliches/datenschutzerklaerung/

B5.3 Hetzner Online GmbH – Hosting

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All app data is stored on servers in Germany. DPA concluded.

B5.4 Cloudflare Inc. – Security / DDoS protection

Cloudflare, Inc., San Francisco, USA. Protects the platform against attacks; technical access data including IP address is processed. Legal basis: Art. 6 para. 1 lit. f GDPR. DPF-certified. DPA concluded.

B5.5 Your employer

Your employer, as the paygood customer, has access to your master and payroll data as well as to transaction data in the form of payroll reports (CSV/XLS). Legal basis: § 26 para. 1 BDSG, Art. 6 para. 1 lit. b GDPR. No further disclosure to third parties takes place.

B6. Your rights as a data subject

You have the following rights as a data subject under Art. 15–21 GDPR:

•       Right of access (Art. 15 GDPR)

•       Right to rectification (Art. 16 GDPR)

•       Right to erasure / „right to be forgotten“ (Art. 17 GDPR)

•       Right to restriction of processing (Art. 18 GDPR)

•       Right to data portability (Art. 20 GDPR)

•       Right to object (Art. 21 GDPR)

•       Right to withdraw consent at any time without giving reasons

•       Right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR)

 

To exercise your rights or for any questions regarding data processing in the app, please contact: [email protected]

Competent supervisory authority: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany, [email protected]

As of: 27 April 2026. This Privacy Policy is updated when the technical implementation or legal requirements change. This document does not constitute legal advice.

This is an English translation for informational purposes only. The original German version (Datenschutzerklärung) is the sole legally binding document. Available at: paygood.app/datenschutz and at [email protected]