Privacy Policy
Last Updated: October 21, 2025
Introduction
These Privacy Policies have been translated from German. Until establishment of the British Ltd, HUERRAY still falls under the German Entity. And so until then, the terms and conditions of HUERRAY as stipulated by the German Entity applies.
This Privacy Policy explains how THRYPES GmbH, 4th Floor,
Gontardstr. 11, 10178 Berlin, Germany (hereinafter referred to as “THRYPES, ” “we, ” or “us”), processes personal data when you use our websites, platforms, social media pages, communication channels, and services related to user-generated content (UGC); when you register as a creator/influencer or as a corporate client; when you cooperate with us, enter into contracts, or otherwise interact with us.
We process data within the DACH region in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Federal Data Protection Act (BDSG), the Telecommunications Telemedia Data Protection Act (TTDSG), and other applicable data protection laws.
1. Controller and Contact
The controller within the meaning of Art. 4(7) GDPR is:
THRYPES GmbH,
4th Floor,
Gontardstr. 11,
10178 Berlin, Germany.
For general inquiries, please contact us at: info@huerray.de
2. Data Protection Officer
We have appointed a Data Protection Officer, who can be reached as follows: THRYPES GmbH, 4th Floor, Gontardstr. 11, 10178 Berlin, Germany. Email: datenschutz@huerray.de
3. Complaints
You have the right to lodge a complaint at any time with the competent data protection authority. However, we would appreciate the opportunity to address your concerns before you contact the authority — so please reach out to us first.
4. General Information on Data Processing
a) Scope of the Processing of Personal Data
We process personal data of our users only to the extent necessary to provide a functional website/platform and to deliver our business-related content and services. Processing generally occurs based on your consent (e.g., via our consent manager for analytics/marketing technologies, newsletter subscriptions, or published UGC content). An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing is permitted by legal provisions or is necessary for contract performance.
We adhere to the principles of transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity/confidentiality in accordance with Art. 5 GDPR.
b) Legal Basis for the Processing of Personal Data
We process data based on the following legal grounds:
Consent (Art. 6(1)(a) GDPR): where you have explicitly given consent via the consent manager or otherwise (e.g., for Google Analytics/GA4, marketing emails under the double opt-in procedure, or publication of image/video material beyond contractual obligations). Consent is voluntary and may be withdrawn at any time with future effectContract / Pre-contractual measures (Art. 6(1)(b) GDPR): where processing is necessary to fulfill a contract with you or to carry out pre-contractual measures (e.g., creator onboarding, briefing, production, approval, payment, customer service)
Legal obligation (Art. 6(1)(c) GDPR): where processing is required to comply with legal obligations (e.g., commercial/tax retention, compliance, or disclosure to authorities)
Vital interests (Art. 6(1)(d) GDPR): in rare cases, where processing is necessary to protect vital interests of the data subject or another natural person
Legitimate interests (Art. 6(1)(f) GDPR): where processing is necessary to safeguard our legitimate interests or those of third parties, provided your interests or fundamental rights do not override them (e.g., IT security, fraud prevention, minimal reach measurement, quality management, legal enforcement/defense, or the selection of suitable creators based on objective, non-automated criteria)
TTDSG: Storing information or accessing information on your device (e.g., cookies, device IDs) requires your consent under § 25(1) TTDSG unless technically essential. The subsequent processing is then based on one of the above GDPR legal bases. For existing customer advertising, § 7(3) UWG may apply.
c) Data Deletion and Retention Period
Personal data is deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this point if required by European or national legislators in EU regulations, laws, or other provisions to which we are subject (e.g., commercial/tax retention obligations under the German Commercial Code (HGB) or Fiscal Code (AO), typically for 6 to 10 years).
Blocking or deletion also occurs when a legally prescribed retention period expires, unless continued storage is necessary for contract fulfillment or the assertion/defense of legal claims. After expiration, data will be deleted or, where possible, anonymized.
5. Provision of the Website
a) Description and Scope of Data Processing
Each time our website is accessed, our system automatically collects data and information from the accessing device. This includes in particular:
(1) Information about the browser/device type and version used
(2) The operating system of the user
(3) The user's internet service provider
(4) The user's IP address
(5) Date and time of access
(6) Referrer URL (the website from which the user was referred to our site)
(7) Pages/files accessed and duration of stay on our website
The data is processed for the duration of the session to enable delivery of the website. It is also stored in our system log files. These data are not stored together with other personal data of the user.
b) Legal Basis for Data Processing
The legal basis for the temporary storage of data and logging in log files is Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the technical functionality, stability, and security of the website (e.g., detecting misuse or attacks), as well as performance monitoring and troubleshooting.
c) Purpose of Processing
Temporary storage of the IP address by the system is necessary to deliver the website to the user's device. For this purpose, the user's IP address must remain stored for the duration of the session. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR.
d) Storage Duration
The data is deleted as soon as it is no longer required to achieve the purpose of its collection. In the case of website provision, this occurs when the respective session ends.
e) Right to Object and Removal Option
The collection and storage of data for website provision and logging in log files is essential for operating the website. Consequently, the user has no option to object to this processing.
a) Description and scope of data processing
On our website, you can sign up for notifications, newsletters, or other email communications (e.g., project updates, UGC news). For sending and analyzing our emails, we use the service Mailchimp provided by The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
Mailchimp enables the organization and sending of emails (transactional and marketing) as well as analytics (e.g., deliverability, opens, clicks, unsubscribes). For this purpose, the following data, among others, are processed and stored on Mailchimp's servers: email address, if applicable name, company, language/region, time of registration (double opt-in), proof of consent, IP address/time zone at registration, interactions with our emails (e.g., opens, clicks), technical metadata (e.g., device/browser information). Mailchimp may create delivery reports to optimize deliverability and may use a tracking pixel in emails. Where a transfer to the USA takes place, we base this on SCCs and the data protection/processing terms agreed with Mailchimp.
b) Legal basis for data processing
Art. 6(1)(a) GDPR (consent) for sending newsletters/marketing emails under the double-opt-in procedure and for statistical reach measurement;
Art. 6(1)(b) GDPR (contract/pre-contractual measures) for transactional emails (e.g., system-required notices, account/project communication);
§ 7(3) UWG (existing customer advertising), where permissible, for sending similar offers to existing customers.
c) Purpose of data processing
Processing serves email delivery, subscription management, documentation of your consent (proof), optimization of our communications (e.g., topic/frequency control), and measurement of the reach/success of our emails (aggregated statistics, error messages, deliverability).
d) Storage period
We store your email data until you withdraw consent/unsubscribe from the respective mailing list and—where necessary—for proof purposes (consent records) for up to 3 years after the last mailing/withdrawal (Art. 5(2) GDPR — accountability; § 7 UWG). Logs of transactional emails are retained in accordance with statutory retention periods and/or IT security requirements and are then deleted or anonymized. Mailchimp deletes or anonymizes data according to contractual requirements and on our instructions.
e) Right to object and deletion options
You can withdraw your consent at any time with effect for the future (e.g., via the unsubscribe link in every email or by email to info@huerray.de). You may object to existing customer advertising at any time. Processing of transactional emails is necessary for contract performance; there is no option to unsubscribe from these where legally/contractually required.
8. Data You Provide Upon Registration, Contract Conclusion, and Use of Our Online Services
a) Description and scope of data processing
When you first register and create an account, and when you use our online services (e.g., customer/creator dashboard, briefing/upload functions, ordering/booking processes), we ask you to provide personal data. We transparently indicate which information is mandatory (required fields) and which is voluntary.
Data that may be collected includes in particular:
Identity and contact data: first and last name, if applicable artist/creator name, address(es), email address, phone number(s), company name/role (for business customers), preferred language.
Access data: username, password (stored exclusively in encrypted form), where applicable security/verification attributes.
Contract/transaction data: information about the legal transaction (offer, order, contract texts, terms, cancellations), project/order IDs, briefings/approvals, acceptances, project communication, billing/payment status.
Billing/payment data: billing and delivery address, VAT ID (if applicable), bank details/IBAN/BIC or payment service provider IDs.
Consent and proof data: declarations of consent (e.g., newsletter/tracking, publications), double-opt-in timestamps, consent/withdrawal logs.
Profile/convenience information (voluntary): profile photo/avatar, social media handles, topic preferences, portfolio links, settings.
In the course of contract performance, your personal data may be shared with third parties where necessary for the respective contract processing or project implementation (e.g., hosting/IT providers, email/newsletter provider Mailchimp, payment/banking service providers, logistics/file transfer and, in the creator context, customers/partners if required for briefing, approvals, acceptances, or proof of use). We have data processing agreements with processors pursuant to Art. 28 GDPR.
b) Legal basis for data processing
Art. 6(1)(b) GDPR (contract/pre-contractual measures) for mandatory information and all processing necessary to provide the account, enable the functions, and perform contracts.
Art. 6(1)(a) GDPR (consent) for voluntary information, newsletter/marketing communications, and publication of content where not already contractually owed.
Art. 6(1)(c) GDPR (legal obligation) e.g., for tax/commercial retention obligations.
Art. 6(1)(f) GDPR (legitimate interests) e.g., for IT and account security, abuse/fraud prevention, internal administration, and legal enforcement; your interests are carefully balanced.
c) Purpose of data processing
Processing enables and manages your account and the use of the respective offerings/functions (e.g., briefing, content upload, contract processing, reporting), communication (inquiries, support), personalization/convenient use (where voluntary information is provided), as well as proper billing and compliance with legal obligations.
d) Storage period
We process the data for as long as necessary for the purposes mentioned:
Account/profile data: until the account is deleted by you or us (in accordance with the contractual/terms of use) and thereafter insofar as statutory retention obligations exist.
Contract/billing documents: generally 6 to 10 years in accordance with the German Commercial Code (HGB) / Fiscal Code (AO).
Consent logs: for proof purposes up to 3 years after withdrawal/unsubscription. After the purposes cease to apply, data is deleted or—where technically possible and legally permissible—anonymized.
e) Right to object and deletion options
Where we process data based on your consent or due to voluntary information, you may withdraw consent at any time with future effect and/or delete/adjust voluntary details yourself in your account. There is no withdrawal option for mandatory contract/system data where this is required to provide the services or fulfill legal obligations. Your rights to object under Art. 21 GDPR remains unaffected (e.g., against processing based on legitimate interests). Please address withdrawals/objections to datenschutz@huerray.de.
9. Advertising Without Consent (Existing Customer Advertising under § 7(3) UWG)
a) Description and Scope of Data Processing
If you have created an account with us or used one of our services, we consider you an existing customer. Within this framework, we may process your postal contact details (name, address) — even without separate consent — to send you information about our own, similar products or services. We may also use your email address to send you our own, similar offers, provided that we obtained it in connection with the sale of a product or service. Voluntary information (e.g., interests) may be used to tailor content to your preferences. No data will be passed on to third parties for their own advertising purposes; processors are used in accordance with Art. 28 GDPR.
b) Legal Basis
Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in direct marketing) in conjunction with § 7(3) UWG (email advertising to existing customers for similar goods/services). We perform a balancing of interests and fully respect your right to object at any time.
c) Purpose of Processing
Direct marketing for our own, similar products and services, and the provision of related information.
d) Storage Duration
We process the contact and usage data required for this purpose for as long as the customer relationship exists, until you object, or — where applicable — in accordance with the principles and legal retention periods described in Section 14 (Storage Period and Criteria).
e) Right to Object and Deletion Options
You can object to the use of your data for advertising purposes at any time. For emails, please use the unsubscribe link provided or contact datenschutz@huerray.de; for postal advertising, you can likewise object at any time.
10. UGC Uploads, Review, Publication & Provision to Business Clients
Creators upload content (e.g., videos, images, text, accompanying metadata) via the platform. Content is reviewed for completeness, compliance with briefings and legal standards, and—depending on the campaign status—made available to business clients for viewing, selection, approval, and use. After approval, content is provided to companies according to the agreed usage rights (e.g., for download, advertising placements, organic posts, landing pages, or e-shops).
Legal Bases:
• Art. 6(1)(b) GDPR (contract / pre-contractual measures)
• Art. 6(1)(f) GDPR (quality assurance / moderation)
• Art. 6(1)(a) GDPR (consent) for processing/publication beyond what is contractually required.
Transparency/Visibility:
Within the project or campaign context, it is visible which data/UGC is made available to which company. Profile data necessary for applications/matching (e.g., name/creator name, social links, thematic tags, sample UGC) may be displayed to business clients.
Deletion/Retention:
Raw uploads, review versions, approvals, and acceptances are stored on a project basis. After project completion, we delete or anonymize data unless legal or contractual obligations require retention. Already granted usage rights remain unaffected (existing uses).
11. Recipients, Third-Country Transfers & Safeguards
Recipients:
Internal departments (Operations, Creator Success, Sales, Finance), contracted processors (hosting/IT, email/newsletter, payment services, file transfer, CRM/ticket systems), and — within project contexts — business clients/partners.
Third Countries:
If data is transferred to third countries (outside the EEA), e.g., to Mailchimp (USA), such transfers are based on appropriate safeguards, in particular Standard Contractual Clauses (SCCs), and additional technical and organizational protection measures, limited to what is necessary.
Details can be provided upon request.
When you interact with our social media pages, we process the information you provide to handle your inquiry. In addition, the respective platform providers' privacy policies apply. Depending on the platform, joint controllership may exist under data protection law.
13. Security
We implement technical and organizational security measures in line with current industry standards (e.g., encryption, access control, logging, hardening/monitoring) to ensure an appropriate level of protection corresponding to the risk.
14. Storage Period and Criteria
We store personal data only for as long as necessary to fulfill the respective purposes or as required by statutory/contractual obligations (typically 6–10 years for tax and commercial documentation). Afterwards, we delete or anonymize the data. Consent records may be retained for up to 3 years after withdrawal (accountability obligation).
15. Data Subject Rights
If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights toward the controller:
Right of Access
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed. If so, you may request access to the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom your personal data has been or will be disclosed;
the envisaged period of storage or, if specific information is not possible, the criteria used to determine that period;
the existence of the right to rectification, erasure, or restriction of processing, or the right to object to such processing;
the existence of a right to lodge a complaint with a supervisory authority;
where the personal data is not collected from you, any available information as to its source;
the existence of automated decision-making, including profiling under Art. 22(1) and (4) GDPR, and—at least in those cases—meaningful information about the logic involved as well as the significance and envisaged consequences of such processing.
You also have the right to be informed whether your data is transferred to a third country or an international organization and to be informed of the appropriate safeguards under Art. 46 GDPR relating to such transfers.
Right to Rectification
You have the right to obtain the rectification of inaccurate personal data and the completion of incomplete data without undue delay.
Right to Restriction of Processing
You may request the restriction of processing of your personal data under the following conditions:
you contest the accuracy of your personal data for a period enabling us to verify its accuracy;
the processing is unlawful, but you oppose deletion and request restriction instead;
we no longer need the data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims; or
you have objected to processing under Art. 21(1) GDPR, pending verification of whether our legitimate grounds override yours.
Where processing is restricted, the data may—apart from storage—only be processed with your consent, for legal claims, to protect the rights of another person, or for important public interest reasons. You will be informed before any restriction is lifted.
Right to Erasure ("Right to be Forgotten")
a) Obligation to Erase
You may request the immediate deletion of your personal data, and we are obliged to delete it without undue delay if one of the following applies:
the data is no longer necessary for the purposes for which it was collected or processed;
you withdraw your consent and there is no other legal basis for processing;
you object to the processing under Art. 21(1) or (2) GDPR and there are no overriding legitimate grounds;
the data was unlawfully processed;
deletion is required to comply with a legal obligation under EU or Member State law;
the data was collected in relation to information society services under Art. 8(1) GDPR.
b) Notification to Third Parties
Where we have made personal data public and are obliged to erase it, we will take reasonable steps, including technical measures, to inform controllers processing the data that you have requested deletion of all links to, copies, or replications of such data.
c) Exceptions
The right to erasure does not apply if processing is necessary:
1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation or performance of a public interest task;
3. for reasons of public interest in the area of public health (Art. 9(2)(h, i) and (3) GDPR);
4. for archiving, scientific, historical, or statistical purposes (Art. 89(1) GDPR) where erasure would seriously impair those purposes; or
5. for the establishment, exercise, or defense of legal claims.
Right to Notification
If you have exercised your right to rectification, erasure, or restriction of processing, we will inform all recipients to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about those recipients.
Right to Data Portability
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller without hindrance, where:
the processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR); and
the processing is carried out by automated means.
You also have the right to have your data transmitted directly from one controller to another, where technically feasible and provided that the rights of others are not adversely affected. This right does not apply to processing necessary for the performance of a task carried out in the public interest or under official authority.
Right to Object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.
We will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests or the processing serves the establishment, exercise, or defense of legal claims.
If your personal data is processed for direct marketing, you may object at any time to such processing, including profiling related to direct marketing. If you object, your personal data will no longer be processed for these purposes.
You can exercise your right to object using automated procedures (e.g., unsubscribe links) that use technical specifications, regardless of Directive 2002/58/EC.
Right to Withdraw Consent
You have the right to withdraw your consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you, except where:
it is necessary for entering into or performing a contract between you and us;
it is authorized by Union or Member State law providing suitable safeguards; or
it is based on your explicit consent.
Such decisions may not be based on special categories of personal data unless Art. 9(2)(a) or (g) GDPR applies and appropriate measures are taken to safeguard your rights and interests.
In the cases referred to in (1) and (3), we will implement suitable measures to protect your rights and freedoms, including the right to human intervention, to express your point of view, and to contest the decision.
Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority—particularly in the Member State of your residence, workplace, or the alleged infringement—if you consider that the processing of your personal data violates the GDPR.
The supervisory authority with which the complaint has been lodged will inform you of the progress and outcome of the complaint, including the possibility of judicial remedy under Art. 78 GDPR.
12. Social Media Pages & Communication Channels