Privacy Policy

Last updated: March 3, 2026

1. Overview

The following information provides a straightforward overview of what happens to your personal data when you visit this website or use the Consul app. Personal data is any data by which you can be personally identified. For detailed information, please refer to the sections below.

What data do we collect?

We collect data that you provide to us directly (for example, when purchasing a license) and data that is collected automatically when you visit the website or use the app. Automatically collected data includes technical information such as your browser type, operating system, and the time of your request.

What do we use your data for?

Data is used to provide this website, process license purchases, deliver license keys, generate invoices, enforce license limits, and manage trials. We use anonymized analytics data to understand how the website is used and to improve it.

What rights do you have?

You have the right to obtain information about the origin, recipients, and purpose of your stored personal data at any time, free of charge. You also have the right to request the rectification or deletion of this data, to restrict its processing, and to data portability. You have the right to object to processing and to lodge a complaint with the competent supervisory authority. You can contact us at any time regarding these rights.

2. Controller

The controller responsible for data processing on this website and in the Consul app is:

WeWork c/o Maximilian Krause
Kuatsu
Taunusanlage 8
60329 Frankfurt am Main
Germany

Email: hello [at] getconsul.app

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

3. Data Retention

Unless a more specific retention period is stated in this policy, your personal data will be retained for as long as the purpose for which it was collected continues to apply. If you assert a legitimate request for deletion or withdraw consent to data processing, your data will be deleted unless we have other legally permissible reasons for retaining it (for example, tax or commercial law retention obligations). In the latter case, deletion will occur once those reasons no longer apply.

License and activation data are retained as long as the license is active. Under German tax law (§ 147 AO), invoice-related data must be retained for ten years.

4. Legal Bases for Processing

We process personal data on the following legal bases under the GDPR:

  • Art. 6(1)(b) GDPR — processing is necessary for the performance of a contract (license purchase, license key delivery, license validation).
  • Art. 6(1)(c) GDPR — processing is necessary for compliance with a legal obligation (invoice generation under German tax law).
  • Art. 6(1)(f) GDPR — processing is necessary for the purposes of our legitimate interests (website analytics, server log files, security).

The applicable legal basis for each processing activity is identified in the relevant section below.

5. Your Rights

Right of access, rectification, and deletion

Within the scope of applicable law, you have the right to obtain free information about your stored personal data, its origin and recipients, and the purpose of its processing. You also have the right to request the rectification or deletion of this data. You can contact us at any time at the address above.

Right to restriction of processing

You have the right to request the restriction of processing of your personal data in the following cases:

  • If you contest the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the review you have the right to request restriction of processing.
  • If the processing of your personal data was or is being carried out unlawfully, you may request restriction of processing instead of deletion.
  • If we no longer need your personal data but you require it for the establishment, exercise, or defense of legal claims, you have the right to request restriction of processing instead of deletion.
  • If you have lodged an objection pursuant to Art. 21(1) GDPR, a balancing of your interests and ours must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request restriction of processing.

Right to data portability

You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract, in a structured, commonly used, and machine-readable format, or to request that it be transmitted to another controller, where technically feasible.

Right to object

WHERE PROCESSING IS BASED ON ART. 6(1)(E) OR ART. 6(1)(F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THOSE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING RESTS IS SET OUT IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (OBJECTION UNDER ART. 21(1) GDPR).

Right to lodge a complaint

In the event of infringements of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement. This right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

6. Revocation of Consent

Many data processing operations are only possible with your explicit consent. Where processing is based on consent, you may withdraw that consent at any time. The lawfulness of processing carried out prior to withdrawal is not affected.

7. SSL/TLS Encryption

This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as purchase requests you submit. You can recognize an encrypted connection by the address bar in your browser switching from “http://” to “https://” and by the lock icon in your browser bar. When SSL/TLS encryption is active, data you transmit to us cannot be read by third parties.

8. Hosting and Infrastructure

This website and our application database are hosted on servers operated by:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Personal data collected through this website and the Consul app is stored on these servers. The legal basis for this hosting is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure and reliable infrastructure).

9. Server Log Files

Our web server automatically collects and stores information in server log files that your browser transmits to us. This includes:

  • Browser type and version
  • Operating system
  • Referrer URL
  • Hostname of the accessing device
  • Time of the server request
  • IP address

This data is not merged with other data sources. Collection is based on Art. 6(1)(f) GDPR — we have a legitimate interest in the technically reliable operation and security of our website.

10. Website Analytics

This website uses Plausible Analytics, a privacy-friendly web analytics tool. The software is installed on our own servers and no data is transmitted to third parties.

Plausible Analytics collects the following metrics:

  • Page views
  • Referrers
  • Top pages
  • Screen sizes
  • Browsers
  • Countries

An anonymized hash of your IP address is stored. At no point does this data allow identification of individual persons. Plausible Analytics operates without cookies and does not use your IP address in identifiable form.

The legal basis is Art. 6(1)(f) GDPR — we have a legitimate interest in understanding how our website is used and in identifying and resolving technical issues.

Further information about Plausible Analytics and its data policy can be found at plausible.io/data-policy.

11. Cookies

This website sets a single, strictly necessary cookie (license_manager_session) when you log in to the License Manager. This cookie is an encrypted session token used to authenticate your session. It is HttpOnly, Secure, and expires after 24 hours. No cookie consent is required because it is strictly necessary for a service you explicitly requested (Art. 5(3) ePrivacy Directive). No other cookies are set.

12. Fonts

This website uses self-hosted fonts. No requests are made to Google Fonts or any other external font service when you visit this website.

13. Payment Processing (Stripe)

All payments are processed by:

Stripe Inc.
354 Oyster Point Blvd
South San Francisco, CA 94080
USA

When you purchase a Consul license, the following data is collected at checkout: email address, name (optional), billing address (optional), and VAT ID (optional, for business purchases). Payment card details are collected directly by Stripe and are never transmitted to or stored by us.

Stripe is certified under the EU-US Data Privacy Framework, ensuring compliance with European data protection standards for transfers to the USA.

The legal basis for this processing is Art. 6(1)(b) GDPR — processing is necessary for the performance of the purchase contract. For further information, see stripe.com/privacy.

14. Invoice Generation (Lexoffice)

Invoices are generated using Lexoffice, a service provided by:

Haufe-Lexware GmbH & Co. KG
Munzinger Straße 9
79111 Freiburg im Breisgau
Germany

For invoice creation, the following data is transmitted to Lexoffice: customer name, email address, and billing address (where provided at checkout).

The legal basis is Art. 6(1)(c) GDPR — processing is necessary for compliance with a legal obligation. German tax law (§ 14 UStG) requires us to issue proper invoices for every sale.

15. Transactional Email (Amazon SES)

Transactional emails (license key delivery, invoices, License Manager verification codes) are sent via Amazon Simple Email Service (SES), operated by:

Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy
L-1855 Luxembourg

The email address you provide at checkout is used to deliver your license key and invoice. No marketing emails are sent. Amazon Web Services is certified under the EU-US Data Privacy Framework.

The legal basis is Art. 6(1)(b) GDPR — processing is necessary for the performance of the purchase contract.

16. Data Stored on Our Servers

We store the following data on our servers to operate the licensing system:

Licenses

Email address, license key, entitlement date, and maximum permitted device count. This data is required to validate licenses and enforce license terms.

License activations

Hardware UUID (a permanent device identifier provided by macOS), device name, and activation timestamp. This data is used to track the number of activated devices against the license limit.

Trials

Hardware UUID and trial start date. This data is used to enforce the one-time 14-day trial per machine.

The hardware UUID is a permanent device identifier. Because it can be linked to the email address upon license activation, it constitutes personal data under the GDPR. The legal basis for processing this data is Art. 6(1)(b) GDPR — processing is necessary to perform the license contract and enforce its terms.

17. Consul macOS App — Data Transmitted to Our Servers

The Consul macOS app communicates with our servers for the following purposes:

License validation

The app sends your email address, license key, and hardware UUID to our servers to verify that your license is valid. The legal basis is Art. 6(1)(b) GDPR.

License activation

When you activate Consul on a device, the app sends the hardware UUID and device name to register the device against your license. This allows us to enforce the per-license device limit. The legal basis is Art. 6(1)(b) GDPR.

Trial management

When starting or checking a trial, the app sends the hardware UUID to our servers. Each machine is entitled to one 14-day trial. The legal basis is Art. 6(1)(b) GDPR.

Auto-updates

The app periodically checks for software updates by contacting our servers. No personal data is transmitted during update checks — only generic request metadata such as the app version and operating system version.

No other data collection

The Consul app does not collect or transmit usage data, crash reports, telemetry, or any other data beyond what is described above. All file conversion operations are performed entirely locally on your device.