Benthos
Legal · Datenschutzerklärung

Privacy policy.

How Benthos gGmbH processes personal data on this website, under the
EU General Data Protection Regulation (GDPR / DSGVO) and the German
Federal Data Protection Act (BDSG).

Effective: 26 April 2026 · Version 1.1

This policy tells you what personal data we collect when you visit benthos.ai or write to us, why we collect it, how long we keep it, and the rights you have over it.

1. Controller

The data controller responsible for processing, within the meaning of Article 4(7) GDPR, is:

Benthos gGmbH
Gartenstr. 112
10115 Berlin, Germany
Email: info@benthos.ai
Managing Director (Geschäftsführerin): Francielly Monteiro
Register court: Amtsgericht Berlin (Charlottenburg) · HRB 283064 B

We have not appointed a Data Protection Officer. The thresholds in §38 BDSG do not currently apply to our organisation. For any data protection question, write to info@benthos.ai.

2. Scope of this policy

This policy applies to the website benthos.ai and to email correspondence with Benthos gGmbH. It does not cover the messaging assistants we operate in the field (for example the WhatsApp assistant used with partner communities), which are governed by separate consent and data agreements made with each partner organisation and community on the ground.

3. What we collect on this website

3.1 Server log data. When you load a page on benthos.ai, our hosting provider automatically records technical information necessary to serve the page and to keep the service secure. This includes:

  • IP address (truncated or full, depending on the provider's configuration)
  • Date and time of the request
  • URL requested and HTTP response code
  • Amount of data transferred
  • Referrer URL, where your browser sends one
  • Browser user-agent string and operating system

Purpose: to deliver the website, detect and defend against attacks, and maintain stability.
Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in operating a working, secure website).
Retention: server logs are kept for a maximum of 30 days by our hosting provider and then deleted or anonymised.

3.2 Cookies and tracking. The pages of benthos.ai do not set any cookies of their own. We use no client-side analytics (no Google Analytics, no Plausible, no Matomo, no Meta Pixel, no heatmaps), no advertising or retargeting pixels, and no social plugins. Fonts, images and scripts are served from our own domain; we do not load Google Fonts or other third-party CDNs.

Our hosting provider may set a small number of technical cookies that are strictly necessary for the operation and security of the service, for example cookies used for load balancing or bot protection at the server edge. These cookies carry no tracking or analytics function and are covered by §25(2)(2) TTDSG as strictly necessary for the service you requested. Because the site does not rely on cookies for which consent is required under §25(1) TTDSG, we do not display a consent banner.

3.3 Aggregated site statistics. Our hosting provider (see section 4) produces aggregated statistics about traffic to benthos.ai, including session counts, country of origin, and device type, by processing the server log data described in section 3.1 on the server side. This processing does not place cookies on your device, does not rely on client-side scripts, and does not create a persistent identifier that could be used to recognise you on later visits. It operates on the same log data and under the same legal basis (legitimate interest, Art. 6(1)(f) GDPR) as server log processing itself. The aggregated output is visible only to Benthos gGmbH in the hosting provider's control panel.

3.4 Contact by email. If you write to us (for example at info@benthos.ai or to any team address on this site), we receive and process the personal data you choose to send us: your name, email address, any attachments, and the content of your message.

Purpose: to answer your enquiry and, where relevant, to continue an institutional conversation (for example with funders, partners or journalists).
Legal basis: Art. 6(1)(b) GDPR where we are taking steps at your request prior to entering a contract, and Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries addressed to us) in all other cases.
Retention: we keep email correspondence as long as it is relevant to the purpose it was sent for, and for any retention period required by German tax and commercial law (typically 6 or 10 years under §147 AO and §257 HGB). We delete correspondence earlier on request, unless a legal obligation prevents us from doing so.

3.5 Donations and tax receipts. When you transfer a donation to Benthos gGmbH, our bank receives and records the data your bank transmits with the payment, typically your name, the IBAN of the sending account, the date, the amount, and any text you wrote in the reference field. If you request a Zuwendungsbestätigung (German tax receipt) or write to donations@benthos.ai with details of your donation, we additionally process the email address, name and postal address you provide for that purpose.

Purpose: receiving the donation, issuing a Zuwendungsbestätigung where requested, and meeting our accounting and tax obligations under German law.
Legal basis: Art. 6(1)(b) GDPR for issuing a receipt at your request, and Art. 6(1)(c) GDPR for the underlying tax and bookkeeping obligations under §50 EStDV, §10b EStG and the Abgabenordnung.
Retention: donation records, including the bank-statement entry and any Zuwendungsbestätigung issued, form part of our accounting records and are retained for ten years under §147 of the Abgabenordnung. Personal data received in connection with a donation but not part of the accounting record is deleted once it is no longer needed for the purpose it was sent for.

4. Recipients and data processors

We use the following service providers, who act as data processors for us under Art. 28 GDPR:

  • Website hosting: Hostinger International Ltd (registered in Cyprus) operating through Hostinger UAB (Kaunas, Lithuania, European Union). The primary server for benthos.ai is located in Germany; site backups are stored in France. Both locations are within the European Economic Area. A data processing agreement under Art. 28 GDPR is in place through Hostinger's standard Data Processing Addendum.
  • Email: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland, acting as processor under the Google Workspace Data Processing Addendum. We use Google Workspace for Nonprofits to operate the @benthos.ai mailboxes. Google Ireland Limited subcontracts parts of the service to Google LLC (Mountain View, California, USA); transfer safeguards are described in section 5.
  • Banking: GLS Gemeinschaftsbank eG (Christstraße 9, 44789 Bochum, Germany) holds the account to which donations are transferred. The bank receives and processes the data on each incoming transfer as an independent controller under German banking and payment-services law. It is not our processor under Art. 28 GDPR.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We disclose personal data to public authorities only where a statutory obligation requires us to do so.

5. Transfers outside the EU / EEA

Website hosting takes place entirely within the European Economic Area: the primary server is located in Germany and backups are stored in France (see section 4). No third-country transfer arises from serving pages, from storing server log data, or from routine backup operations.

Email correspondence handled through Google Workspace involves a transfer of personal data to the United States, where Google LLC operates parts of the infrastructure on behalf of Google Ireland Limited. For these transfers we rely on:

  • the EU–US Data Privacy Framework, an adequacy decision of the European Commission of 10 July 2023 under Art. 45 GDPR. Google LLC is self-certified under the Framework (dataprivacyframework.gov); and
  • as a complementary safeguard under Art. 46(2)(c) GDPR, the Standard Contractual Clauses adopted by the European Commission on 4 June 2021, as incorporated into the Google Workspace Data Processing Addendum, together with the technical and organisational measures Google applies.

The Google Workspace Data Processing Addendum is publicly available at workspace.google.com/terms/dpa_terms.html. A copy of the transfer safeguards in force for any other processor is available on request at info@benthos.ai.

6. Your rights

Under Articles 15 to 22 GDPR, you have the following rights in relation to the personal data we process about you:

  • Access: to ask us whether we hold data about you and, if so, to receive a copy (Art. 15).
  • Rectification: to have inaccurate or incomplete data corrected (Art. 16).
  • Erasure: to have your data deleted where one of the grounds in Art. 17 applies.
  • Restriction: to have processing restricted while a request is being handled (Art. 18).
  • Data portability: to receive data you provided to us in a structured, commonly used, machine-readable format (Art. 20).
  • Objection: to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR (Art. 21).
  • Withdraw consent: where processing is based on consent under Art. 6(1)(a) or Art. 9(2)(a) GDPR, to withdraw that consent at any time, without affecting the lawfulness of processing done before withdrawal.

To exercise any of these rights, write to info@benthos.ai. We will respond within the statutory deadline (one month under Art. 12(3) GDPR, or up to three months for complex requests, in which case we will tell you within the first month).

7. Right to lodge a complaint

You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority. The authority responsible for Benthos gGmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin, Germany
Website: www.datenschutz-berlin.de

You may also lodge a complaint with the supervisory authority in your country of residence or place of work within the European Union.

8. Obligation to provide data

You are not legally or contractually obliged to provide personal data to us. You can visit this website without giving us any data beyond the technical log information described in section 3.1, which is generated automatically by your browser. If you choose not to write to us, we cannot answer an enquiry that was never sent. That is the only consequence.

9. Automated decision-making

We do not use personal data from this website for automated decision-making or profiling within the meaning of Art. 22 GDPR. The AI assistants we operate in the field are governed by separate agreements with the communities and partner organisations involved and are not in scope here.

10. Security

Traffic to benthos.ai is served over HTTPS (TLS). Our hosting provider is contractually bound under Art. 28 GDPR to apply appropriate technical and organisational measures under Art. 32 GDPR. No method of transmission over the public internet is ever fully secure; if you send us sensitive information by email, consider whether encrypted channels are more appropriate.

11. Children

This website is not directed at children. We do not knowingly collect data from children on benthos.ai. Field programmes that involve minors are governed by separate consent agreements made with legal guardians, schools or community organisations, and are outside the scope of this policy.

12. Changes to this policy

We update this policy when the law changes, when we add or change a processor, or when a site function changes what data is processed. The current version is available at this URL, marked with an effective date and version number at the top.