EN
Important notice: This English version of our Privacy Policy is a convenience translation only. The legally binding version is the German original (Datenschutzerklärung). In case of any discrepancies between this translation and the German version, the German version shall prevail.
Privacy Policy of CoStore Holding GmbH
CoStore appreciates your interest in our company and our services. We want you to feel comfortable when contacting us. Therefore, the security of your personal data that arises when you contact CoStore – such as name, address, phone number, or email address – is an important concern for us.
This privacy notice is addressed to all persons with whom CoStore (“we” or “us”) interacts, including customers, potential customers, prospects, visitors to our websites, users of our apps/applications, other users of our products or services, and visitors to our locations (“you” or “your”). It contains the information required under Articles 13 and 14 of the GDPR.
The processing of personal data is carried out in accordance with statutory provisions. Personal data means any information relating to an identified or identifiable natural person. Processing includes any operation related to personal data – such as collection, recording, storage, adaptation, use, transmission, or deletion. Further terms correspond to the definitions in Article 4 of the GDPR.
CoStore Holding GmbH
Große Rheinstrasse 22
76661 Philippsburg, Germany
We collect and process your personal data in particular in the following cases:
Please keep your information up to date and inform us of any changes – particularly your contact details.
We process the following data in particular: name, address, phone number, email address, company name (if applicable), role, business contact details, as well as contract and transaction data, insofar as they are necessary for the business relationship.
We process personal data for the reservation, rental, and management of storage spaces as well as for the execution of rental agreements and additional services, in particular:
Booking, management, and cancellation are processed through our partner Kinnovis. You will receive transaction-related emails (e.g., contract documents, direct debit information, invoices) pursuant to Art. 6(1)(b) GDPR. These are necessary for contract performance and cannot be unsubscribed from.
More information: https://kinnovis.com/privacy-policy/
User registration is carried out via Kinnovis (www.kinnovis.com). The data processed includes name, email address, phone number, and company name (if applicable).
In the event of payment arrears, data (name, address, contract and invoice data) may be transmitted to debt collection agencies or lawyers. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Personal data is stored for as long as it is necessary for contract processing. Statutory retention periods apply thereafter. Enquiries are deleted no later than 12 months after completion, unless statutory obligations require otherwise.
Data processing agreements pursuant to Art. 28 GDPR are in place with all service providers to ensure data protection and data security.
We process personal data for the organisation, execution, and follow-up of visits and events.
We use Microsoft services for scheduling and coordination. Legal basis: Art. 6(1)(b) GDPR. Privacy notice: microsoft.com/de-de/privacy/privacystatement
At publicly accessible events, photo and video recordings may be made for documentation and public relations purposes. Signs on-site inform visitors about photo and video recordings. If you do not wish to be recorded, please speak to the event team.
You may object to the processing of photo and video data for personal reasons. Please inform us or the photographers on-site.
In addition to our products, we offer service and consultation via phone, email, contact form, WhatsApp Business, chatbot (JaneGPT by Kinnovis), our own AI-powered website chatbot, or on-site. Bookings or contract conclusions are made exclusively via Kinnovis.
Notice on the Use of Artificial Intelligence: To efficiently process your enquiries, we use AI-powered systems. Enquiries received via contact form, email, phone, WhatsApp, or our website chatbot may be automatically analysed, categorised, and partially answered by AI systems.
We use AI services to support our customer communication. This includes the automated analysis and, where applicable, response to customer enquiries across various communication channels (email, contact form, WhatsApp, website chatbot, phone). Processing is based on our legitimate interest in efficient customer service (Art. 6(1)(f) GDPR). When using our website chatbot, processing is additionally based on your consent (Art. 6(1)(a) GDPR).
As part of this automated processing, the content of your enquiries and associated contact data are transmitted to the following AI service providers:
| Service Provider | Purpose | Server Location | Privacy Notice |
|---|---|---|---|
| OpenAI (ChatGPT) | AI-powered analysis and response to customer enquiries | USA | openai.com/policies/privacy-policy |
| Anthropic (Claude) | AI-powered analysis and response to customer enquiries, website chatbot | USA | anthropic.com/privacy |
| Make (Celonis SE) | Automation platform for routing and processing of enquiries | EU | make.com/en/privacy-notice |
The use of OpenAI and Anthropic may involve the transfer of personal data to the USA. The transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or the EU-US Data Privacy Framework. Your messages are stored for quality improvement purposes for up to 30 days. You have the right to object to AI-powered processing and to request that your enquiry is handled exclusively by our staff.
We operate our own AI-powered chatbot on our website. This chatbot uses the automation platform Make (EU servers) and the AI service Claude by Anthropic to process your enquiries. When using the chatbot, you will be informed about the AI processing beforehand and asked for your consent. Without your consent, no AI-powered processing takes place. You can leave the chatbot at any time and contact us alternatively by phone, WhatsApp, or email.
Service enquiries are stored for up to 12 months after processing and then deleted, unless statutory retention periods apply. AI-processed messages are deleted by the AI service providers after a maximum of 30 days.
We offer newsletter services to regularly inform you about products, services, and offers.
We use a double opt-in procedure for newsletter registration:
You can unsubscribe from the newsletter at any time via an unsubscribe link in each email or by contacting us directly.
We use the email marketing service provider Klaviyo to send our newsletters. Your data is processed exclusively on our behalf. More information: https://www.klaviyo.com/legal. Klaviyo acts as a data processor pursuant to Art. 28 GDPR.
We store your email address and preferences for as long as you are subscribed. After unsubscribing, the data is deleted within 30 days.
To manage our customer relationships and centrally store communication data, we use the CRM system Twenty in its cloud version.
Twenty is operated as a cloud service. Data is hosted on Amazon Web Services (AWS) servers in the USA. The data transfer to the USA is based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR and, where applicable, the EU-US Data Privacy Framework. More information: https://twenty.com/legal/privacy
Processing is based on our legitimate interest in efficient customer management (Art. 6(1)(f) GDPR) and for contract performance (Art. 6(1)(b) GDPR).
Customer data is stored in Twenty for the duration of the business relationship or as required by statutory retention periods. After the purpose of processing ceases, data is deleted or anonymised.
In connection with the use of our storage spaces and access to our locations, we process personal data for access control, security, and surveillance:
Our locations are equipped with visible video surveillance. Video surveillance is carried out in particular:
Video recordings are generally stored for a maximum of 14 days and then automatically deleted, unless security-related incidents require longer storage.
For enhanced security, we work with external security service providers who monitor the video surveillance in real-time outside our business hours (10:00 PM – 8:00 AM).
Video surveillance is indicated by appropriate signs at our locations. You have the right to request information about stored recordings or to object to the processing.
As part of our corporate communications, we process personal data for event documentation, press work, and digital media appearances:
Recordings may be published on the CoStore website, social media (LinkedIn, Facebook, Instagram), and in print or online publications. If you do not wish recordings of you to be published, you may object at any time.
We process personal data for the assertion, exercise, or defence of legal claims:
Where legally permissible or with your consent, we process data for promotional communication, customer satisfaction surveys, promotions, and competitions.
We are subject to statutory obligations for processing and retaining personal data, e.g., under the German Commercial Code (HGB) and the German Fiscal Code (AO).
Data processing also takes place for quality management, improvement of customer satisfaction, development of products and services, and improvement of IT security.
We use the following service providers for the technical provision and security of our website:
| Service | Purpose | Privacy Notice |
|---|---|---|
| Amazon Web Services (AWS) | Hosting and cloud services | aws.amazon.com/privacy |
| Webflow | Web design and hosting platform | webflow.com/legal/privacy |
| Stripe | Payment service provider (incl. fraud prevention) | stripe.com/de/privacy |
| Kinnovis | Booking and contract management platform | kinnovis.com/privacy-policy |
| Consentmanager | Cookie consent management (GDPR) | consentmanager.de/datenschutz |
| Cloudflare | Security and performance service (DDoS protection, CDN) | cloudflare.com/privacypolicy |
| Amazon CloudFront | Content Delivery Network (CDN) | aws.amazon.com/cloudfront |
| Google Maps | Map service for location display, navigation, and location analysis | policies.google.com/privacy |
| OpenStreetMap | Map service for location analysis and partner properties (IP address transmitted) | osmfoundation.org/Privacy_Policy |
| Google Fonts | Provision of fonts (IP addresses may be processed) | fonts.google.com/about |
| jsDelivr | Provision of icons and libraries | jsdelivr.com/privacy-policy |
| Unpkg | Provision of static files | unpkg.com |
| Sipgate (Satellite) | Online telephony for receiving calls | sipgate.de/datenschutz |
| ClickSend | Sending SMS notifications (phone number and message content) | clicksend.com/privacy-policy |
| Microsoft Outlook / Microsoft 365 | Email communication and calendar management (cloud) | privacy.microsoft.com |
| Service | Purpose | Privacy Notice |
|---|---|---|
| Google Analytics | Web analytics (IP anonymisation enabled) | policies.google.com |
| Google Tag Manager | Management of marketing and tracking tags | policies.google.com |
| Google Ads Remarketing | Interest-based advertisements | policies.google.com/technologies/ads |
| Facebook Plugin | Integration of Facebook features | facebook.com/about/privacy |
| Facebook Remarketing | Personalised advertisements (Custom Audiences) | facebook.com/about/privacy |
| Facebook Lead Ads | Capture of user enquiries via Facebook ad forms | facebook.com/about/privacy |
| Klaviyo | Email marketing for newsletters and communication | klaviyo.com/legal/privacy-policy |
| Microsoft Booking Tool | Online appointment booking | privacy.microsoft.com |
| Microsoft Forms | Online forms for customer enquiries and feedback | privacy.microsoft.com |
| WhatsApp Business | Customer communication (GDPR-compliant) | whatsapp.com/legal |
In the course of our business activities, personal data may be transferred to countries outside the EU/EEA, in particular to the USA. This applies to the following services, among others:
Transfers are based on adequacy decisions by the European Commission, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, and/or the EU-US Data Privacy Framework.
When sharing data with service providers, we ensure compliance with data protection requirements (data processing agreements, Standard Contractual Clauses).
We store personal data only for as long as necessary. The following periods apply:
If deletion is not possible, processing will be restricted.
We implement technical and organisational measures:
When using third-party services (social media, cloud services, AI services), additional security risks may exist.
For all questions regarding the processing of personal data:
Marcel Philipp Lang
Email: datenschutz@costore.de
As of: 03.03.2026
Stell hier deine Fragen zu Standort, Preisen, Verfügbarkeit, Zugang & Sicherheit. Lieber direkt mit einem Menschen sprechen? Ruf uns an, schreib uns auf WhatsApp oder lass dich zurückrufen.
ℹ️ Mit der Chat-Nutzung stimmst du der Datenverarbeitung zu. Mehr dazu in unserer Datenschutzerklärung.