GuideMark LogoGuideMark
Get Started

Privacy Policy

Last updated: March 10, 2026

1. Introduction

This Privacy Policy explains how GuideMark ("we", "us", "our") collects, uses, and protects your personal data when you use our website and services at guidemark.co. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and German data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

GuideMark
Arnulfstr 112
12105 Berlin, Germany
Managing Director: Mehmet Perk
Email: mehmet@guidemark.co

3. Data We Collect

Account Data

When you register for an account, we collect:

  • Email address
  • Password (encrypted)
  • Profile information you provide

Usage Data

When you use our Service, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Referrer URL
  • Pages visited and actions taken
  • Date and time of access

End-User Data

When your website visitors interact with GuideMark features embedded on your site — including product tours, beacon tooltips, onboarding checklists, and journey flows — we collect anonymized session data to provide analytics. We do not collect personally identifiable information from your end users unless you configure the widget to do so.

Payment Data

Payment information is processed directly by our payment processor, Stripe. We do not store your full credit card number. We receive only the last four digits for reference purposes.

4. How We Use Your Data

We process your personal data for the following purposes:

PurposeLegal Basis (GDPR)
Providing the ServiceArt. 6(1)(b) – Contract performance
Account managementArt. 6(1)(b) – Contract performance
Processing paymentsArt. 6(1)(b) – Contract performance
Service improvementsArt. 6(1)(f) – Legitimate interest
Security and fraud preventionArt. 6(1)(f) – Legitimate interest
Legal complianceArt. 6(1)(c) – Legal obligation

5. Sub-Processors and Third Parties

We use the following third-party service providers (sub-processors) to operate our Service. Each has been selected for their commitment to data protection:

ServicePurposeData ProcessedLocation
SupabaseDatabase, Authentication, StorageAccount data, Tour contentEU region
VercelWeb hosting, CDNIP address, Access logsEU/US
StripePayment processingPayment details, Billing addressEU/US
ResendTransactional emailEmail addressUS
GroqAI content generation, diagnosticsPage context, element metadata (no PII)US
Google AnalyticsWebsite analyticsUsage data, anonymized identifiersEU/US

All sub-processors are bound by data processing agreements and are required to implement appropriate security measures.

6. International Data Transfers

Some of our sub-processors are located in the United States. For transfers of personal data outside the European Economic Area (EEA), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-U.S. Data Privacy Framework, where applicable

These mechanisms ensure that your data receives adequate protection as required by GDPR.

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this policy:

  • Account data: Until you delete your account
  • Usage logs: 90 days
  • Payment records: 10 years (German tax law requirement)
  • Backup copies: Deleted within 30 days of primary data deletion

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest
  • Secure authentication with hashed passwords
  • Regular security assessments
  • Access controls and audit logging
  • Data center security (ISO 27001 certified providers)

9. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to restrict processing: Limit how we use your data
  • Right to data portability: Receive your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent

To exercise these rights, contact us at mehmet@guidemark.co. We will respond within 30 days.

You also have the right to lodge a complaint with the Berlin data protection authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61, 10555 Berlin
www.datenschutz-berlin.de

10. Cookies

We use cookies to provide essential functionality. Our cookies include:

  • Authentication cookies: Keep you logged in (essential)
  • Session cookies: Maintain your session state (essential)

We do not use third-party tracking cookies or advertising cookies.

11. Data Processing Addendum (DPA)

If you are a business customer (B2B) using GuideMark to process personal data of your own users, we act as a data processor on your behalf under Article 28 GDPR.

Scope of Processing

As your data processor, we process end-user data solely to provide the GuideMark service to you. This includes displaying product tours, beacon tooltips, onboarding checklists, and journey flows, as well as tracking engagement and providing analytics.

Our Obligations

As a data processor, we commit to:

  • Process data only on your documented instructions
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject requests
  • Assist you with data breach notifications when required
  • Delete or return all personal data upon termination of the contract
  • Make available information necessary to demonstrate compliance
  • Only engage sub-processors with your prior authorization (see Section 5)

Your Obligations

As the data controller, you are responsible for:

  • Ensuring you have a lawful basis to collect end-user data
  • Providing appropriate privacy notices to your end users
  • Responding to data subject requests from your end users

Standard Contractual Clauses

For transfers to sub-processors outside the EEA, we incorporate the EU Standard Contractual Clauses (Module 3: Processor to Sub-processor) into our agreements.

By using GuideMark as a business customer, you agree to this Data Processing Addendum. For a signed copy or customized DPA, please contact mehmet@guidemark.co.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the Service. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, please contact us:

GuideMark
Arnulfstr 112
12105 Berlin, Germany
Email: mehmet@guidemark.co

← Back to Home