At Sugar (sugar.dev), operated by Sumosmash UG (haftungsbeschränkt), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services or visit our website. We comply with the EU General Data Protection Regulation (GDPR), the German Telecommunications Digital Services Data Protection Act (TDDDG), the Federal Data Protection Act (BDSG), and other applicable laws.
1. Data Controller
The data controller responsible for your personal data is:
Sumosmash UG (haftungsbeschränkt)
Operating as: Sugar (sugar.dev)
Seydelstr. 12
10117 Berlin, Germany
Email: hello@sugar.dev
For statutory company details, please see our Impressum.
2. Information We Collect
2.1 Information You Provide:
- • Contact information (name, email, phone, company)
- • Project details and requirements
- • Payment and billing information
- • Communications with our team
2.2 Information Collected Automatically:
- • IP address and device data
- • Browser type, operating system, and version
- • Pages visited and time spent on our website
- • Referring website addresses
2.3 Cookies and Tracking:
We use cookies and similar technologies for:
- • Essential – Required for site functionality and security
- • Analytics – Google Analytics, PostHog (only with your consent)
- • Marketing – LinkedIn Insight Tag (only with your consent)
Our consent banner displays Accept all and Reject all buttons on the first layer with equal prominence. No non-essential cookies or tags load before consent is given.
You can change your preferences anytime via the "Cookie settings" link in the footer. If you use a certified Consent Management Service (Einwilligungsverwaltungsdienst) under the German Consent Ordinance (EinwV), we will honor your choices where technically feasible.
3. Legal Bases for Processing
We process personal data under GDPR Article 6 on the following bases:
- Contract performance: To deliver our services and fulfill agreements
- Legitimate interests: For business operations, security, and service improvement
- Consent: For analytics, marketing, and optional activities
- Legal obligations: For tax, accounting, and compliance with regulations
4. How We Use Your Information
We use your information to:
- • Provide and manage AI development services
- • Communicate about projects and provide support
- • Process payments and billing
- • Send service updates and transactional notifications
- • Improve services and develop new features
- • Comply with legal requirements and protect our rights
- • Send marketing communications (only with your consent)
We also assess any government or law-enforcement request for data for legality and proportionality, and will challenge unlawful or excessive requests.
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.
5. Data Sharing and Disclosure
We do not sell your personal data. We share data only with trusted processors and as legally required:
- • Google Ireland Ltd. – Website analytics (Google Analytics)
- • PostHog Inc. – Product analytics
- • LinkedIn Ireland Unlimited Company – Marketing analytics (Insight Tag)
- • Stripe Payments Europe Ltd. – Payment processing
- • Vercel Inc. – Hosting and infrastructure
All processors are bound by GDPR-compliant contracts and safeguard your data appropriately.
6. International Data Transfers
Some providers process data outside the EU/EEA. In these cases, we ensure an adequate level of protection through:
- • EU Standard Contractual Clauses (SCCs)
- • EU adequacy decisions (e.g., UK, Japan)
- • EU–US Data Privacy Framework (DPF) for certified US companies
You may request a copy or summary of the safeguards used for such transfers by contacting us.
7. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- • Encryption of data in transit and at rest
- • Pseudonymisation where possible
- • Access controls and authentication mechanisms
- • Regular security reviews and employee training
8. Data Retention
We retain data only as long as necessary for the stated purposes:
- • Project data: Project duration + 3 years
- • Financial records: 10 years (required by German law)
- • Marketing data: Until you withdraw consent
- • Website analytics: Up to 26 months
We review retention periods regularly and delete or anonymize data when no longer needed.
9. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Access: Request a copy of your data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion ("right to be forgotten")
- Restriction: Limit how your data is processed
- Portability: Receive your data in a portable format
- Objection: Object to processing, including direct marketing
- Withdraw consent: Withdraw any consent you previously gave
To exercise these rights, contact hello@sugar.dev
You also have the right to lodge a complaint with your local supervisory authority. In Berlin:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin
Email: mailbox@datenschutz-berlin.de
10. Children's Privacy
Our services are not directed at individuals under 16 years old. We do not knowingly collect data from children under 16. If you believe we have, please contact us.
11. Updates to This Policy
We may update this Privacy Policy from time to time. Significant changes will be notified via our website or email. Previous versions are available on request.
Last updated: August 29, 2025
12. Contact
For privacy questions or to exercise your rights:
(If you appoint a Data Protection Officer under BDSG §38, replace "Privacy Contact" with "Data Protection Officer" and include direct contact details.)
This Privacy Policy was last updated on August 29, 2025