Case studies
Let re:fund's success stories convince you. Find out more here.
LexHub GmbH ("re:fund")
Last updated: February 2026
The controller responsible for the processing of personal data within the meaning of the GDPR is:
Company: LexHub GmbH ("re:fund")
Address: Wadzeckstraße 4, 10178 Berlin, Germany
Authorized Representative: Marten Pieper
Email: info@letsrefund.de
Imprint Link: letsrefund.de/impressum
We take the protection of your personal data seriously and treat your personal data confidentially and in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG). This privacy policy informs you about the nature, scope and purpose of the processing of personal data on our website and platform as well as your rights as a data subject.
We process personal data only on the basis of one of the following legal bases:
Art. 6 para. 1 lit. a GDPR - Consent of the data subject
Art. 6 para. 1 lit. b GDPR - Performance of a contract or pre-contractual measures
Art. 6 para. 1 lit. c GDPR - Compliance with a legal obligation
Art. 6 para. 1 lit. f GDPR - Legitimate interests of the controller or third parties
When you visit our website, the hosting provider automatically stores so-called server log files. These include browser type, operating system, referrer URL, IP address, access time and pages accessed. This data serves the technical safeguarding of the operation and is not merged with other data sources.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in stable operation)
Storage duration: Usually 7-14 days
If you contact us by email (info@letsrefund.de), we process the data you provide (name, email address, message content) exclusively for processing your request.
Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest)
Storage duration: Until final processing, thereafter according to statutory retention periods (possibly 6-10 years according to HGB/AO)
Provider: Calendly LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA
Purpose: Online appointment booking and management
Processed data: Name, email address, phone number if applicable, selected appointment, message
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract / pre-contractual measures) or Art. 6 para. 1 lit. f GDPR
Third-country transfer: USA; safeguarded by EU Standard Contractual Clauses (SCCs) according to Art. 46 GDPR; DPA according to Art. 28 GDPR concluded
Storage duration: For the duration of the appointment processing
Provider's privacy policy
To provide our contractual services, we process the data of our customers and users required for the respective service.
Legal basis: Art. 6 para. 1 lit. b GDPR
Storage duration: Duration of the contractual relationship as well as statutory retention periods (booking receipts: 8 years according to § 257 para. 1 no. 4 HGB in conjunction with BEG IV; annual financial statements: 10 years according to § 257 para. 1 no. 1 HGB)
Our website uses SSL or TLS encryption for security reasons. You can recognize an encrypted connection by the "https://" in the address line and the lock symbol in the browser.
Our website uses cookies. Technically necessary cookies are set on the basis of § 25 para. 2 TDDDG without consent. For all other cookies (analysis, marketing), we obtain your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time via the cookie settings (link in the footer).
Provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark
Purpose: Obtaining, managing and documenting cookie consents in accordance with § 25 TDDDG and GDPR
Processed data: Technically necessary consent cookie (no personal data)
Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation) and Art. 6 para. 1 lit. f GDPR (legitimate interest)
Third-country transfer: No transfer to third countries
Storage duration: 12 months
Provider's privacy policy
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Web analysis to evaluate user behavior and optimize our website
Processed data: IP address (anonymized), page views, length of stay, browser/device information, interactions
Legal basis: Art. 6 para. 1 lit. a GDPR (consent); § 25 para. 1 TDDDG for cookie setting
Third-country transfer: USA; safeguarded by SCCs and EU-US Data Privacy Framework; DPA according to Art. 28 GDPR concluded
Storage duration: 14 months (then automatic deletion by Google)
Provider's privacy policy
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Management of website tags via a central interface; the Tag Manager itself does not set cookies and does not collect personal data
Processed data: No independent data collection; controls other tags
Legal basis: Art. 6 para. 1 lit. a GDPR (consent via consent tool)
Third-country transfer: USA; safeguarded by SCCs
Storage duration: No independent storage
Provider's privacy policy
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Uniform display of fonts on the website
Processed data: IP address (transmitted to Google servers when loading the fonts)
Legal basis: Art. 6 para. 1 lit. a GDPR (consent); consent is obtained via cookie banner
Third-country transfer: USA; safeguarded by SCCs
Storage duration: No independent storage by LexHub
Provider's privacy policy
Provider: Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta
Purpose: Analysis of user behavior (heatmaps, session recordings, feedback surveys) to improve user experience
Processed data: IP address (anonymized), device type, screen resolution, browser information, geographic origin, date and time, mouse movements, clicks, scroll depth
Legal basis: Art. 6 para. 1 lit. a GDPR (consent); § 25 para. 1 TDDDG for cookie setting; DPA according to Art. 28 GDPR concluded
Third-country transfer: Data is stored on servers within the EU
Storage duration: Maximum 365 days
Provider's privacy policy
Opt-Out
Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Purpose: Analysis of website usage, conversion tracking for LinkedIn advertising campaigns and retargeting
Processed data: IP address, device and browser data, page views, interactions; cookie validity: 90 days
Legal basis: Art. 6 para. 1 lit. a GDPR (consent); § 25 para. 1 TDDDG; DPA according to Art. 28 GDPR concluded
Third-country transfer: USA; safeguarded by SCCs and EU-US Data Privacy Framework
Storage duration: Aggregated, anonymized evaluations; no personal reference for LexHub
Provider's privacy policy
Opt-Out
We maintain a company profile on LinkedIn. Upon interaction with our profile (visits, comments, messages), personal data is processed by LinkedIn. Joint controllership in accordance with Art. 26 GDPR may exist between us and LinkedIn.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in public relations)
LinkedIn privacy policy
For internal and external communication as well as collaboration with clients, we use the following cloud services:
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Email (Gmail), document management (Google Drive, Docs, Sheets), video conferences (Google Meet), communication (Google Chat), appointment management (Google Calendar)
Processed data: Communication contents (emails, chats, video conferences), contact data, documents, technical connection data
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest) and Art. 6 para. 1 lit. b GDPR (performance of a contract); DPA according to Art. 28 GDPR concluded
Third-country transfer: Primarily EU data centers; USA transfer possible; safeguarded by SCCs and EU-US Data Privacy Framework
Storage duration: For the duration of the business relationship, thereafter statutory retention periods
Provider's privacy policy
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Purpose: Email (Outlook), communication and video conferences (Teams), cloud storage (OneDrive, SharePoint), Office applications
Processed data: Communication contents (emails, chats, video conferences), contact data, documents, technical connection data
Legal basis: Art. 6 para. 1 lit. f GDPR and Art. 6 para. 1 lit. b GDPR; DPA according to Art. 28 GDPR concluded
Third-country transfer: Primarily EU data centers; USA transfer possible; safeguarded by SCCs and EU-US Data Privacy Framework
Storage duration: For the duration of the business relationship, thereafter statutory retention periods
Provider's privacy policy
Provider: Notion Labs, Inc., 2300 Harrison Street, San Francisco, CA 94110, USA
Purpose: Document management, task planning, knowledge management and internal collaboration
Processed data: User data (name, email), project data (comments, tasks, notes, files), technical information
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient organization); DPA according to Art. 28 GDPR concluded
Third-country transfer: USA; safeguarded by SCCs and EU-US Data Privacy Framework
Storage duration: For the duration of use, then deletion
Provider's privacy policy
Provider: Webflow, Inc., 398 11th Street, Floor 2, San Francisco, CA 94103, USA
Purpose: Design, creation and hosting of our website
Processed data: IP address, technical device data, timestamp, pages accessed
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in technically secure website) and Art. 6 para. 1 lit. b GDPR; DPA according to Art. 28 GDPR concluded
Third-country transfer: USA; safeguarded by SCCs and EU-US Data Privacy Framework
Storage duration: Server logs: standard retention for technical operation
Provider's privacy policy
Provider: Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany
Purpose: Server infrastructure, cloud services, web/database hosting and data backup
Processed data: IP address, access time, transferred data volumes, server logs
Legal basis: Art. 6 para. 1 lit. f GDPR and Art. 6 para. 1 lit. b GDPR; DPA according to Art. 28 GDPR concluded
Third-country transfer: None; processing exclusively within the EU
Storage duration: Only as long as required for operation or statutory periods
Provider's privacy policy
Provider: LexHub GmbH ("re:fund"), Wadzeckstraße 4, 10178 Berlin (In-house development; no external software provider)
Purpose: Processing, administration and tracking of application data (R&D applications) within the scope of contractual service provision to our clients
Processed data: Name, address and contact details of applicants; bank details (IBAN, account holder); application and process data (application status, amounts, deadlines, internal notes); technical connection data (IP address, timestamp)
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract with the client or pre-contractual measures) as well as Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient and traceable application management)
Access: Exclusively authorized employees of LexHub GmbH; no access by external third parties
Hosting: The platform is operated on servers of Hetzner Online GmbH in Germany (see section 9.2); data processing takes place exclusively within the EU.
Third-country transfer: None; processing exclusively within the EU
Storage duration: For the duration of the contractual relationship with the respective client; thereafter according to the statutory retention periods in accordance with HGB and AO (booking receipts: 8 years, § 257 para. 1 no. 4 HGB; annual financial statements: 10 years, § 257 para. 1 no. 1 HGB)
Qonto acts as an independent data controller within the meaning of Art. 4 No. 7 GDPR - no data processing on behalf takes place.
Provider: Olinda SAS (Qonto), 20 bis rue Bouvier, 75011 Paris, France
Purpose: Management of the business account, payment processing, creation of account statements
Processed data: Master data (name, address, email, account holder), bank and transaction data (IBAN, payment amount, purpose), billing data
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. f GDPR
Third-country transfer: France / EU; processing on servers in France
Storage duration: Commercial and business letters: 6 years (§ 257 HGB); booking receipts and invoices: 8 years (§ 257 para. 1 no. 4 HGB, § 147 para. 1 no. 4 AO, amended by BEG IV as of 01.01.2025)
Provider's privacy policy
Provider: DATEV eG, Paumgartnerstraße 6-14, 90429 Nuremberg, Germany
Purpose: Bookkeeping, document archiving and invoice processing
Processed data: Booking, invoice, receipt and contact data of customers, suppliers and, if applicable, employees
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. c GDPR (statutory retention obligations); DPA according to Art. 28 GDPR concluded
Third-country transfer: None; processing exclusively in German data centers
Storage duration: Statutory retention periods (HGB, AO: up to 10 years) Booking receipts and invoices: 8 years (§ 257 para. 1 no. 4 HGB, § 147 para. 1 no. 4 AO, amended by BEG IV as of 01.01.2025); commercial books and annual financial statements: 10 years (§ 257 para. 1 no. 1 HGB)
Provider's privacy policy
Provider: CleverLohn GmbH, Riesaer Straße 5, 01129 Dresden, Germany
Purpose: Digital payroll and salary accounting as well as personnel management for employees
Processed data: Master data (name, address, date of birth, tax ID, bank details), billing data (working hours, salary, social security and health insurance data)
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. c GDPR (tax and social security obligations); DPA according to Art. 28 GDPR concluded
Third-country transfer: None; processing within the EU
Storage duration: Wage tax documents: 10 years (§ 147 AO); social security documents: until the end of the calendar year following the last company audit (§ 28f para. 1 SGB IV); payroll account: 6 years (§ 41 para. 1 sentence 9 EStG)
Provider's privacy policy
Provider: apilayer GmbH, Wiedner Hauptstraße 65, 1040 Vienna, Austria
Purpose: Electronic signing, management and archiving of contracts and legally binding documents
Processed data: Identification and contact data (name, email, phone), signature data (timestamp, digital signature, IP address), possibly document contents
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. f GDPR; DPA according to Art. 28 GDPR concluded
Third-country transfer: Primarily EU data centers; possible transfer for certain functions safeguarded by SCCs
Storage duration: Commercial and business letters: 6 years (§ 257 HGB); tax-relevant receipts: 8 years (§ 147 AO, amended by BEG IV as of 01.01.2025); annual financial statements: 10 years (§ 257 HGB)
Provider's privacy policy
Provider: IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany
Purpose: Audit-proof, GOBD-compliant archiving of business emails according to HGB and AO
Processed data: Communication data from emails (name, email address, subject, message content, timestamp, attachments)
Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation) and Art. 6 para. 1 lit. f GDPR; DPA according to Art. 28 GDPR concluded
Third-country transfer: None; processing within the EU
Storage duration: For the duration of statutory retention periods (HGB, AO)
Provider's privacy policy
We store personal data only as long as is necessary for the respective processing purpose or as long as statutory retention obligations (e.g. according to HGB or AO) exist. Once the purpose no longer applies or the period expires, the data is deleted or blocked. Statutory retention periods:
Commercial and business letters: 6 years (§ 257 HGB)
Booking receipts and invoices: 8 years (§ 257 para. 1 no. 4 HGB, § 147 para. 1 no. 4 AO, amended by BEG IV as of 01.01.2025); annual financial statements and commercial books: 10 years (§ 257 HGB)
Payroll records: Social security remuneration documents: until the end of the calendar year following the last company audit (§ 28f para. 1 SGB IV); wage tax documents: 10 years (§ 147 AO)
Social security contribution documents (§ 28f SGB IV): until the end of the calendar year following the last company audit (at least 5 years); payroll account: 6 years (§ 41 EStG)
According to the GDPR (Chapter III, Art. 15 et seq.), you are entitled to the following rights. Please send inquiries to: info@letsrefund.de
Right of access (Art. 15 GDPR) You have the right to receive free information at any time about the data stored about you (processing purpose, data categories, recipients, storage duration, origin of the data).
Right to rectification (Art. 16 GDPR) You have the right to request the immediate rectification of incorrect data or the completion of incomplete data.
Right to erasure (Art. 17 GDPR) You have the right to the erasure of your data, provided that no statutory retention obligations or other legitimate grounds for processing oppose this.
Right to restriction of processing (Art. 18 GDPR) You can request the restriction of processing, for instance if you dispute the accuracy of the data or the processing is unlawful.
Right to data portability (Art. 20 GDPR) You have the right to receive your data in a structured, common and machine-readable format or to have it transferred to another controller.
Right to object (Art. 21 GDPR) You have the right to object to the processing of your data based on Art. 6 para. 1 lit. e or f GDPR. In the case of direct marketing, you can object at any time without giving reasons.
Right to withdraw consent (Art. 7 para. 3 GDPR) Insofar as the processing is based on your consent, you can revoke this at any time with effect for the future, without the lawfulness of the previous processing being affected.
Right to lodge a complaint (Art. 77 GDPR) You have the right to complain to the competent data protection supervisory authority: Competent authority: Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) Incumbent: Meike Kamp
We do not make automated decisions within the meaning of Art. 22 GDPR that have legal or similarly significant effects on you. If we use marketing tools, aggregated statistical evaluations are created without individual automated decisions being made.
The provision of personal data is in some cases required by law (e.g. tax regulations) or contractually prescribed or necessary for the conclusion of a contract. Where this applies, we inform you in the respective context. If you do not provide the relevant data, this may lead to us not being able to conclude the contract or provide our services.
We update this privacy policy in the event of changes to our data processing operations or legal requirements. The current version can always be found on our website at www.letsrefund.de/datenschutz.
Last updated: February 2026
