Gumb
The CommunityOrganizer
Log InSign Up
Test for 2 months
Gumb
The CommunityOrganizer
Book Demo
Log InSign Up

Privacy Policy

Privacy Policy


The protection of personal data is of particular importance to us. In the following, we inform you in detail about the collection of personal data when using our website (gumb.app) and our apps (web.gumb.app). Personal data means all data with which conclusions can be drawn about you personally, such as name, address, email addresses, or user behavior. The processing is always carried out in accordance with the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).


1. Controller for the Data Processing

The controller within the meaning of Art. 4 para. 7 GDPR is:

Gumb AG

Büsingerstrasse 5

CH-8203 Schaffhausen

Switzerland

Email: privacy@gumb.app

You can reach our Data Protection Officer at privacy@gumb.app (see also section 3).


2. International Representation & EU Representation (Art. 27 GDPR)

Gumb is a globally operating company with customers in Switzerland, the European Union, the USA, and worldwide. Pursuant to Art. 27 GDPR, we have reviewed whether the appointment of an external representative in the EU is required. Since we centrally manage the protection of your data from our headquarters in Switzerland - a country for which the European Commission has issued an adequacy decision regarding the level of data protection - and we currently do not carry out large-scale processing of sensitive data pursuant to Art. 9 GDPR, our headquarters serves as the central point of contact.

For all data protection inquiries from the EU, the USA, or other regions, you can contact us directly:

Gumb AG

Büsingerstrasse 5

CH-8203 Schaffhausen

Switzerland

Email: privacy@gumb.app

We continuously monitor our regulatory obligations. Should the appointment of a local representative become necessary due to our growth in specific markets (e.g., EU or UK), we will update this section immediately.


3. Data Protection Officer

If legally required (e.g., in the case of processing sensitive data or more than 20 employees pursuant to Art. 37 GDPR or national provisions), we have appointed a Data Protection Officer.

This person can be reached at:

Data Protection Officer of Gumb AG

Büsingerstrasse 5

CH-8203 Schaffhausen

Switzerland

Email: privacy@gumb.app

If no Data Protection Officer is required, the management assumes responsibility; this is based on a risk assessment under the FADP and GDPR.


4. Your Rights

You have the following rights with respect to the personal data concerning you:

  • Right of access (Art. 15 GDPR): You can request information about the personal data we process about you and a copy of this data.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate or the completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request the erasure of your data, provided that no statutory retention obligations (e.g., tax law requirements) prevent this.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request the restriction of the processing of your data.
  • Right to data portability (Art. 20 GDPR): You have the right to receive data that we process on the basis of your consent or a contract in a commonly used format.
  • Right to object (Art. 21 GDPR) and withdrawal of consent (Art. 7 para. 3 GDPR): If you have given us consent, you can withdraw it at any time with effect for the future. If we process data on the basis of legitimate interests (Art. 6 para. 1 lit. f GDPR), you can object to the processing for reasons arising from your particular situation. Please direct your objection or withdrawal to the contact details provided in section 1.

Your consent settings (e.g., for cookies, analytics, or marketing tools) can be adjusted or withdrawn at any time via the cookie banner on our website or in the app settings. The withdrawal is free of charge, simple, and takes effect for the future without affecting the lawfulness of the processing carried out up to that point. Alternatively, you can direct your withdrawal to the contact details provided in section 1.

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is either the authority of your place of residence or the Swiss supervisory authority:

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)

www.edoeb.admin.ch

Je nach Ihrem Aufenthaltsort können Sie sich auch bei der zuständigen Aufsichtsbehörde in Ihrem Land beschweren (z. B. in den USA bei der jeweiligen State Authority oder in einem EU-Mitgliedstaat bei der lokalen Datenschutzbehörde).


5. Collection of Personal Data When Visiting Our Website/Apps

5.1 Informational Use of the Website

When you use our website purely for informational purposes, we only collect the data that your browser transmits to our server. This data is technically necessary to ensure the stability and security of the site (legal basis: Art. 6 para. 1 lit. f GDPR):

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website/app from which the request originates (referrer)
  • Browser, operating system, language, and version of the browser software

5.2 Use of the Apps

When using our apps, we additionally collect the data necessary for functionality (Art. 6 para. 1 lit. f GDPR):

  • Device type (e.g., iPhone, Samsung)
  • Operating system and its interface
  • Content of the request (specific page within the app)
  • Technical log data to ensure operational security


6. Contact by Email, Contact Form, or Zendesk

If you contact us by email or via a contact form, we process the personal data you provide (in particular your email address and, if applicable, your name and telephone number) to handle your request.

The processing is carried out:

  • pursuant to Art. 6 para. 1 lit. b GDPR if your request is aimed at the conclusion or performance of a contract,
  • otherwise pursuant to Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in the proper response to inquiries.

For the management and documentation of support requests, we use Zendesk, a service of Zendesk, Inc., USA. Zendesk acts as a processor pursuant to Art. 28 GDPR. The use of Zendesk is based on our legitimate interest in efficient and structured processing of support requests (Art. 6 para. 1 lit. f GDPR).

A transfer of personal data to the USA cannot be ruled out. This transfer takes place on the basis of the EU Standard Contractual Clauses pursuant to Art. 46 GDPR and - where applicable - on the basis of the provider’s certification under the EU-U.S. Data Privacy Framework. However, it cannot be completely ruled out that U.S. authorities may access personal data in individual cases.

Support requests are generally stored for a period of 24 months and then deleted, unless statutory retention obligations prevent this or longer storage is required for the assertion, exercise, or defense of legal claims.

Further information can be found in Zendesk’s privacy policy.


7. Registration and Use of the Service

7.1 Registration

To create a customer account, we collect the following mandatory information:

  • Email address (as username)
  • A password chosen by you

Registration is required for the use of our services. The legal basis is Art. 6 para. 1 lit. b GDPR (initiation and performance of the contract) as well as our legitimate interest in providing a secure user account (Art. 6 para. 1 lit. f GDPR).

The provision of the mandatory information is required for the conclusion and performance of the user agreement. Without this information, no user account can be created.


7.2 Use of the Services & Optimization

We log in pseudonymized form which planning functions and how many events are used in our app. This data is collected only during active use and serves performance optimization and the recommendation of suitable functions. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in improving our offering). You can object to this type of recommendation at any time (please contact us using the contact details provided in section 1).


7.3 Pre-Creation by Users with Special Rights (Admins)

Administrators (e.g., board members of an association with admin rights in the app) have the option to provisionally create accounts for third parties. The following personal data is processed:

Email address

  • First and last name
  • A temporary password

The collection and transmission of this data to Gumb AG is carried out by the respective administrator. Administrators act independently as controllers within the meaning of Art. 4 No. 7 GDPR. They are obliged to ensure the lawfulness of the data collection and - if necessary - to establish an appropriate legal basis (e.g., consent or contractual basis).

Gumb AG processes the transmitted data in the context of the technical provision of the platform as an independent controller pursuant to Art. 4 No. 7 GDPR. There is no joint controllership within the meaning of Art. 26 GDPR.

The processing by Gumb AG is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in providing the platform functions and efficient user management).

As soon as an administrator has created a provisional account, the data subject is informed immediately by email. In this notification, they receive a temporary password and can log in, view, change, or delete the stored data.

If a data subject does not agree with the creation of the account, they can delete the account themselves or request immediate deletion from Gumb AG at privacy@gumb.app.


8. Online Orders and Payment Service Providers

If you place an order online via our website or apps, we collect the data necessary for the conclusion of the contract (legal basis: Art. 6 para. 1 lit. b GDPR). The data is stored for the duration of the contract and in accordance with statutory retention obligations (in particular tax law requirements) (legal basis: Art. 6 para. 1 lit. c GDPR).

For payment processing, we use the following external payment service providers, who process your payment data as independent controllers:

  • Stripe: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland. Stripe privacy policy
  • PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal privacy policy

The transmission of your data to the payment service providers is based on Art. 6 para. 1 lit. b GDPR (contract performance).


9. Social Login (Facebook, Google, Apple)

We offer you the option to register and log in using your existing account with the following providers:

  • Facebook Connect (Meta Platforms Ireland Ltd.)
  • Google (Google Ireland Limited)
  • Apple (Apple Inc.)

If you log in via one of these services, you will be asked, after your consent, to transmit certain information from your profile to us. As a rule, we receive the following data:

  • First name, last name
  • Email address
  • Profile picture (depending on the provider)

We use this data to create, provide, and personalize your Gumb account. The legal basis is Art. 6 para. 1 lit. b GDPR (initiation of the contract) as well as our legitimate interest in a convenient login process (Art. 6 para. 1 lit. f GDPR). With Apple, you have the option to hide your email address; in this case, you will receive a forwarded anonymized email address from Apple.

The data is transmitted directly by the respective provider after you have given your consent to the data transfer there.


10. Cookies and Consent Management

10.1 What Are Cookies?

Our website and apps use cookies and similar technologies (e.g., pixels, SDKs, local storage). Cookies are small text files that are stored on your device and transmit certain information to the party that sets the cookie. Cookies cannot execute programs or transmit viruses.


10.2 Categories of Cookies

We distinguish the following categories:

  • Strictly necessary: These cookies are necessary for the operation of the website/app (e.g., login, security functions). Without them, we cannot provide our services. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in functionality).
  • Functional: These cookies enable improved functionality and personalization (e.g., saving language settings). They are set only with your consent (Art. 6 para. 1 lit. a GDPR).
  • Analytics / Performance: These cookies help us understand how visitors use our site in order to improve performance. They are set only with your consent (Art. 6 para. 1 lit. a GDPR).
  • Marketing / Targeting: These cookies are set by advertising partners to create profiles of your interests and show you relevant advertising. They are set only with your consent (Art. 6 para. 1 lit. a GDPR).

10.3 Consent Management with CookieScript

We use CookieScript (a service of Digital Data Solutions B.V., Netherlands) to manage and document your consent settings. CookieScript stores your consent preferences in a cookie on your device and allows us to track your selection. The legal basis is Art. 6 para. 1 lit. f GDPR in conjunction with § 25 TTDSG or the corresponding ePrivacy provisions.

You can adjust or withdraw your consent settings (e.g., for cookies, analytics, or marketing tools) at any time via the cookie banner on our website or in the app settings. The withdrawal is free of charge, simple, and takes effect for the future without affecting the lawfulness of the processing carried out up to that point. Alternatively, you can direct your withdrawal to the contact details provided in section 1.


11. Analytics Services

11.1 Google Analytics 4 (GA4) & Consent Mode v2

We use Google Analytics 4 (GA4), a web analytics service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). GA4 serves to analyze the use of our website and apps.

Scope of Processing

  • Collection of usage data (e.g., pages visited, time spent, click behavior)
  • Device and browser information
  • IP address (is truncated or not stored permanently as part of the processing)

With your consent, we use Enhanced Conversions: Certain data (e.g., email addresses) is transmitted to Google in hashed form (SHA-256) to better assign conversions.

Google Consent Mode v2:

We fully respect your consent settings via the Consent Mode. Depending on your choice, Google receives either detailed data (with consent) or only aggregated, non-personal data (without consent).

Storage Period:

Data at user level is stored for a maximum of 14 months and then automatically deleted or anonymized.

Recipients and Data Transfer:

Google Ireland Limited generally acts as a processor. In certain cases, Google may also be an independent controller. It cannot be ruled out that data may be transferred to servers of Google LLC in the USA. The basis for the data transfer is the EU Standard Contractual Clauses as well as Google’s certification under the EU-U.S. Data Privacy Framework.

Legal Basis:

Your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw this consent at any time via the cookie banner.

Further Information

Google Privacy Policy


11.2 Google Firebase (Storage, Crashlytics, Analytics)

Our apps use Firebase, a platform of Google, for the following purposes:

  • Storage: Provision of media content (e.g., images) - legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient delivery)
  • Crashlytics: Identification and resolution of app crashes (purely technical data) - legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in stability)
  • Analytics: Statistical recording of app usage - legal basis: Your consent (Art. 6 para. 1 lit. a GDPR)

The data processing takes place on Google servers, which may also be located in the USA. The same security measures apply as for Google Analytics (EU Standard Contractual Clauses, Data Privacy Framework). Google Ireland Limited generally acts as a processor for Firebase services.


11.3 Hotjar

We use Hotjar (Hotjar Ltd., Malta) to analyze the user experience. Hotjar records e.g. clicks, mouse movements, scroll behavior, and screen resolution. The data is collected in anonymized form; no personal data is stored. The legal basis is your consent (Art. 6 para. 1 lit. a GDPR).

Further information: Hotjar privacy policy


11.4 Sentry.io

For technical error monitoring, we use Sentry.io (Functional Software, Inc., USA). Sentry processes exclusively technical data (e.g., error messages, device type, operating system version) and does not store any personal clear data. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in error correction and stability).

Further information: Sentry privacy policy


11.5 Prismic

For our help section (support pages), we use Prismic.io (Prismic, Inc., USA), a content management system. Prismic hosts texts and media content to deliver help articles quickly and reliably. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in an efficient help system). The transfer to the USA takes place on the basis of EU Standard Contractual Clauses.

Further information: Prismic privacy policy


12. Advertising and Marketing

12.1 Google Ads (Remarketing & Conversion Tracking)

We use Google Ads to draw attention to our services. In doing so, we use:

  • Conversion Tracking: If you click on a Google ad, a cookie is set that informs us (and Google) whether you have performed a specific action (e.g., registration).
  • Remarketing Lists: Visitors to our site can later be addressed with personalized advertising on other websites in the Google advertising network.

Regarding the collection and transmission of the data to Google, there is joint controllership pursuant to Art. 26 GDPR. The further processing of the data by Google takes place under its own responsibility. Further information can be found in the privacy policies of Google.

The activation of these functions takes place only after your consent (Art. 6 para. 1 lit. a GDPR).

Further information: Google Ads privacy policy


12.2 Meta Pixel (Facebook & Instagram Advertising)

We use the Pixel of Meta Platforms Ireland Ltd. (Facebook, Instagram). The Pixel enables us to measure the effectiveness of our advertisements and to show visitors to our site interest-based advertising on Facebook and Instagram. If you have consented, we also use the extended matching (transmission of hashed email addresses to improve audience formation). The legal basis is your consent (Art. 6 para. 1 lit. a GDPR).

Regarding the collection and transmission of event data to Meta Platforms, there is joint controllership pursuant to Art. 26 GDPR. The subsequent processing of the data by Meta takes place under its own responsibility. The agreement on joint controllership (“Controller Addendum”) is available in Meta’s data protection information.

Further information: Facebook privacy policy


12.3 LinkedIn Insight Tag

We use the LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company) to analyze conversions and the reach of our LinkedIn campaigns. LinkedIn receives information about your interaction with our website, which can be linked to your LinkedIn account if you are logged in there. The legal basis is your consent (Art. 6 para. 1 lit. a GDPR).

Regarding the collection and transmission of the data to LinkedIn, there is joint controllership pursuant to Art. 26 GDPR. The further processing by LinkedIn takes place under its own responsibility.

Further information: LinkedIn privacy policy


12.4 YouTube with Enhanced Data Protection

On our website, we embed videos from YouTube. We use the enhanced data protection mode. This ensures that YouTube only establishes a connection to its servers when you actively start the video by clicking. Only then will data (e.g., your IP address) be transmitted to YouTube. If you are simultaneously logged into your YouTube account, YouTube can assign the browsing behavior to your profile - you can prevent this by logging out before clicking. The legal basis is your consent (Art. 6 para. 1 lit. a GDPR).

Further information: Google privacy policy

In the context of the use of analytics and marketing tools (e.g., Google Analytics, Meta Pixel), the creation of pseudonymized usage profiles may occur. These serve the analysis of user behavior and the delivery of personalized advertising. There is no automated decision-making within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you. Profiling takes place only with your consent and can be revoked at any time. Risks include possible assignment to your profile by third parties, which we minimize through anonymization.


13. Data Transfer and Hosting (AWS)

We host our systems with Amazon Web Services (AWS), a service of Amazon Web Services, Inc., USA.

Services used:

  • S3: Cloud storage for secure and scalable data storage
  • Amazon Pinpoint: Communication with users via email, SMS, or push notifications
  • Cognito: Identity management and authentication
  • SES (Simple Email Service): Sending of transactional emails

Data processing region: Your data is processed primarily in the EU (Frankfurt region). Maintenance access from the USA cannot be completely excluded. This is based on the EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. AWS is certified under the Data Privacy Framework. The legal basis for hosting is Art. 6 para. 1 lit. f GDPR (legitimate interest in a secure and powerful IT infrastructure).

It cannot be excluded that U.S. authorities may access personal data in individual cases. Despite contractual and technical protection measures, no fully equivalent level of data protection as in the EU can be guaranteed in the USA.

Further information: AWS privacy policy


Recipients of personal data
Recipients of your data may in particular be:

  • IT and hosting service providers
  • Analytics and marketing service providers
  • Payment service providers
  • Support service providers
  • Authorities, to the extent legally required

If data is transferred to third countries outside the EU/EEA, this is done only on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular Standard Contractual Clauses or adequacy decisions.

For the transfer of personal data to third countries outside the EU/EEA, such as the USA, this is done exclusively on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular EU Standard Contractual Clauses (SCCs), adequacy decisions, or the EU-U.S. Data Privacy Framework (DPF). Despite these measures, no fully equivalent level of data protection as in the EU can be guaranteed in the USA, as U.S. authorities may access data in individual cases (e.g., under U.S. law such as the CLOUD Act). We conduct regular Transfer Impact Assessments (TIAs) to minimize risks. Users can request further details on the safeguards taken at privacy@gumb.app.


14. Job Postings and Wellfound

Applications sent directly by email to careers@gumb.app are processed via Zendesk and treated as support requests. We reserve the right to retain application documents for future suitable positions. If you wish to have them deleted, please let us know at any time by email to privacy@gumb.app - we will delete the data immediately.


You can apply to us via our application portal and the Wellfound platform. We process your personal data (master data, resume, certificates, cover letter) exclusively for the decision on an employment relationship. The legal basis is Art. 6 para. 1 lit. b GDPR (implementation of pre-contractual measures) in conjunction with § 26 BDSG.

If you wish to be included in our applicant pool, we obtain your express consent (Art. 6 para. 1 lit. a GDPR). The data will then be stored as long as the consent exists or a legitimate interest applies. You can withdraw your consent at any time; upon explicit deletion request, we will delete the data immediately.

Wellfound may transfer data to the USA; the basis is EU Standard Contractual Clauses. Further information: Wellfound privacy policy


You can also apply to us via the Indeed platform (Indeed Inc., USA). We process your personal data (master data, resume, certificates, cover letter) exclusively for the decision on an employment relationship. The legal basis is Art. 6 para. 1 lit. b GDPR (implementation of pre-contractual measures) in conjunction with § 26 BDSG. Indeed may transfer data to the USA; the basis is EU Standard Contractual Clauses as well as certification under the EU-U.S. Data Privacy Framework. Further information: Indeed privacy policy.


15. Participation in Sweepstakes

The data processing is carried out for the purpose of conducting the sweepstakes pursuant to Art. 6 para. 1 lit. b GDPR. If there is any further use (e.g., marketing), this is done exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR).


16. Data Security

We take extensive technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons (Art. 32 GDPR). These include:

  • SSL/TLS encryption for data transmission
  • Access controls and authorization concepts
  • Regular review of our security procedures

Our employees are regularly trained in the handling of personal data.


17. Storage Period

We store personal data only for as long as is necessary for the respective purposes or statutory retention obligations exist (e.g., 10 years for tax-related data pursuant to HGB/AO). Examples:

  • Account data: For the duration of the user relationship plus 30 days after deletion.
  • Log data: Maximum 90 days, then anonymization or deletion.
  • Support data (e.g., Zendesk tickets including applications via careers@gumb.app): Until deletion is requested or statutory retention obligations apply, usually up to 24 months.
  • Analytics data (e.g., GA4): 14 months.
  • Error data (Sentry): 90 days. After expiry, data is deleted or anonymized, unless longer storage is necessary for legal defense.


18. Update of the Privacy Policy

We occasionally adapt this privacy policy to technical developments, new functions, or legal changes, e.g., through EU reforms such as the BDSG adjustments 2026 for simplification of Data Protection Officer obligations or updates to the EU-U.S. Data Privacy Framework. The date of the last change can be found at the beginning of this document. We recommend that you read our privacy policy again at regular intervals. In the case of material changes, we will inform you by email or app notification.

For questions about data protection, please contact:

Gumb AG - Attn. Data Protection

Büsingerstrasse 5, CH-8203 Schaffhausen

Email: privacy@gumb.app


Date of Entry into Force: September 20, 2020

Last Updated: March 01, 2026