Last updated: May 2026
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
ecomhatch
E-Mail: privacy@ecomhatch.io
EcomHatch is a platform where e-commerce founders can find co-founders and business partners. To provide this service we operate user profile, listing, and messaging features. This policy describes which personal data we process, on what legal basis, how long we retain it, and what rights you have.
When you register, we collect your email address and a password of your choosing. The email address is used to verify your account, for password recovery, and for transactional notifications (e.g. contact requests). Passwords are stored exclusively as a secure hash.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
After registration you may voluntarily add further information to your profile: display name, username, short bio, skills, location, website and social media handles, and a profile picture. This data is publicly visible to other users.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) where required for use of the platform; otherwise Art. 6(1)(a) GDPR (consent via voluntary input).
When you create a listing we store the title, description, category, project stage, desired partner roles, required skills, location, time commitment, remote status, and an optional cover image. Listings are publicly accessible and indexed by search engines.
Legal basis: Art. 6(1)(b) GDPR.
Messages between users and the associated conversation history are stored in our database. Content is visible only to the parties involved. Once both parties delete a conversation it is permanently removed from the database.
Legal basis: Art. 6(1)(b) GDPR.
Listings you mark as favourites are stored linked to your account. If you invite other users via your referral link, the referral relationship is stored for the purpose of credit management.
Legal basis: Art. 6(1)(b) GDPR.
When you access our website, the hosting services we use (Vercel, Hetzner) automatically record technical data: IP address, timestamp, requested URL, HTTP status code, bytes transferred, and browser and OS identifiers. This data is needed for secure operation, error diagnosis, and protection against abuse, and is deleted after the typical retention periods of the respective providers (generally 7–30 days).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).
We use only technically necessary cookies. Specifically, our authentication infrastructure (Supabase Auth) sets session cookies that are deleted on sign-out or session expiry. A separate cookie stores your language preference (German/English).
We do not use tracking, analytics, or advertising cookies. A cookie banner is therefore not required.
Legal basis: Art. 6(1)(b) and (f) GDPR.
We engage the following service providers as data processors under Art. 28 GDPR:
Contabo GmbH
Welfenstraße 22, 81541 München
Purpose: Operation of the VPS server hosting the database, authentication server, and file storage. All user data is stored exclusively on this server in Germany.
Legal basis: DPA under Art. 28 GDPR; EU server location, no third-country transfer.
Provider's Privacy PolicyVercel Inc.
440 N Barranca Ave #4133, Covina, CA 91723, USA
Purpose: Hosting the Next.js web application (frontend, server-side rendering). Vercel processes access logs and serves the user interface.
Legal basis: DPA under Art. 28 GDPR; Vercel is a certified participant in the EU-US Data Privacy Framework (DPF) — third-country transfer on the basis of an adequacy decision by the European Commission (Art. 45 GDPR).
Provider's Privacy PolicyCloudflare, Inc.
101 Townsend St, San Francisco, CA 94107, USA
Purpose: CDN, DDoS protection, and DNS resolution. Cloudflare may process IP addresses and request metadata in the course of this.
Legal basis: DPA under Art. 28 GDPR; Cloudflare is a certified participant in the EU-US Data Privacy Framework (DPF) — third-country transfer on the basis of an adequacy decision by the European Commission (Art. 45 GDPR).
Provider's Privacy PolicyResend Inc.
USA (Delaware)
Purpose: Sending transactional emails (registration confirmation, password reset). Resend receives the recipient's email address and the content of the respective email.
Legal basis: DPA under Art. 28 GDPR; Resend is a certified participant in the EU-US Data Privacy Framework (DPF) — third-country transfer on the basis of an adequacy decision by the European Commission (Art. 45 GDPR).
Provider's Privacy PolicyA data processing agreement (DPA) pursuant to Art. 28 GDPR exists or will be concluded with each of the processors listed above before going live.
We store personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations.
Under the GDPR you have the following rights:
To exercise your rights, contact the controller by email at the address above. We will respond within 30 days.
You also have the right to lodge a complaint with a data protection supervisory authority. In Germany, the competent authority is that of the federal state in which you reside.
All data transmitted between your browser and our servers is encrypted via HTTPS. Our database is not directly reachable from the internet; access is exclusively through a secured API gateway. Passwords are never stored in plain text — only as a cryptographic hash. Database operations are subject to access controls that ensure users can only access their own data.
Our service is intended for persons aged 18 and over. We do not knowingly collect personal data from persons under 18. If we become aware that a minor has created an account, we will delete it without delay.
We reserve the right to update this Privacy Policy to reflect changes to our services or legal requirements. The current version is always available at https://ecomhatch.io/privacy. Registered users will be notified by email of material changes.