Privacy Policy of CoStore Holding GmbH
CoStore appreciates your interest in our company and services. We want you to feel comfortable when interacting with us. The security of your personal data that arises when you contact CoStore – such as name, address, telephone number or email address – is therefore an important concern for us.
This privacy notice is directed at all persons with whom CoStore ("we" or "us") interacts, including customers, prospective customers, interested parties and visitors to our websites, users of our apps/applications, other users of our products or services, and visitors to our locations ("you"). It contains the information required under Articles 13 and 14 GDPR.
The processing of personal data takes place within the framework of statutory provisions. Personal data means any information relating to an identified or identifiable natural person. Processing covers any operation involving personal data – such as collection, recording, storage, adaptation, use, transmission or deletion. Further terms correspond to the definitions in Article 4 GDPR.
CoStore Holding GmbH
Große Rheinstrasse 22
76661 Philippsburg, Germany
We collect and process your personal data in particular in the following cases:
Please keep your information up to date and inform us of any changes – especially of your contact details.
We process in particular the following data: name, address, telephone number, email address, where applicable company name, position, business contact details as well as contract and transaction data, insofar as they are required for the business relationship.
We process personal data for the reservation, rental and management of storage spaces as well as for the handling of rental agreements and additional services, in particular:
Booking, administration and termination are handled via our partner Kinnovis. You will receive transactional emails (e.g. contract documents, move-in information, invoices) in accordance with Art. 6(1)(b) GDPR. These are necessary for contract performance and cannot be unsubscribed from.
Further information: https://kinnovis.com/privacy-policy/
In addition to automated email dispatch via Kinnovis, we also contact customers and prospects directly by email (via Microsoft Outlook / Microsoft 365), by phone (where applicable via Sipgate) and via WhatsApp Business. This applies in particular to:
Processing takes place on the basis of Art. 6(1)(b) GDPR (contract performance or pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient customer communication). AI-assisted pre-processing may also take place via these communication channels (see section "AI-assisted processing of customer enquiries").
For identity verification upon contract conclusion and for fraud prevention, we use the Stripe Identity service. The following data may be processed:
Processing takes place on the basis of Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in fraud prevention). Insofar as biometric data is processed, this takes place on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR. The results of the identity verification are also transmitted to our partner Kinnovis and stored there as part of contract administration. Stripe may process data in the USA. The transfer takes place on the basis of standard contractual clauses and/or the EU-US Data Privacy Framework. Further information: stripe.com/de/privacy
To check creditworthiness after contract conclusion, we use the Creditscore API of Wunderkopf Technologies GmbH. Personal data (in particular name, address and, where applicable, date of birth) is transmitted to Wunderkopf in order to obtain a credit report. The check serves to protect against payment defaults and takes place separately from the booking process. Processing takes place on the basis of our legitimate interest in protecting against payment defaults (Art. 6(1)(f) GDPR) and for contract performance (Art. 6(1)(b) GDPR). Further information: wunderkopf.technology/terms/datenschutz
User registration takes place via Kinnovis (www.kinnovis.com). Name, email address, telephone number and, where applicable, company name are processed.
In the event of payment arrears, data (name, address, contract and invoice data) may be transmitted to debt collection service providers or lawyers. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Personal data is stored for as long as it is required for contract execution. Statutory retention periods apply thereafter. We generally delete enquiries no later than 12 months after closure, unless statutory obligations preclude this.
Data processing agreements pursuant to Art. 28 GDPR exist with all service providers, ensuring data protection and data security.
We process personal data to organise, conduct and follow up on visits and events.
We use Microsoft services for scheduling and coordination. Legal basis: Art. 6(1)(b) GDPR. Privacy notices: microsoft.com/de-de/privacy/privacystatement
At freely accessible events, photo and video recordings may be created for documentation and public relations purposes. Notices on site inform about photo and video recordings. If you do not wish to be recorded, please speak to the event team.
You may object to the processing of photo and video data for personal reasons. Please inform us or the photographers on site.
In addition to our products, we offer service and consulting services by phone, email, contact form, WhatsApp Business, chatbot (JaneGPT by Kinnovis), our own AI-assisted website chatbot, or on site. Bookings and contract conclusions take place exclusively via Kinnovis.
Notice on the use of Artificial Intelligence: For the efficient handling of your enquiries, we use AI-assisted systems. Enquiries received via contact form, email, telephone, WhatsApp or our website chatbot may be automatically analysed, categorised and partially answered by AI systems.
We use AI services to support our customer communication. This includes the automated analysis and, where applicable, answering of customer enquiries via various communication channels (email, contact form, WhatsApp, website chatbot, telephone). Processing takes place on the basis of our legitimate interest in efficient customer support (Art. 6(1)(f) GDPR). When using our website chatbot, processing additionally takes place on the basis of your consent (Art. 6(1)(a) GDPR).
As part of this automated processing, the contents of your enquiries and associated contact data are transmitted to the following AI service providers:
| Service provider | Purpose | Server location | Privacy notices |
|---|---|---|---|
| OpenAI (ChatGPT) | AI-assisted analysis and answering of customer enquiries | USA | openai.com/policies/privacy-policy |
| Anthropic (Claude) | AI-assisted analysis and answering of customer enquiries, website chatbot | USA | anthropic.com/privacy |
| Make (Celonis SE) | Automation platform for forwarding and processing enquiries | EU | make.com/en/privacy-notice |
When using OpenAI and Anthropic, personal data may be transferred to the USA. The transfer takes place on the basis of standard contractual clauses (Art. 46(2)(c) GDPR) and/or the EU-US Data Privacy Framework. Your messages are generally stored for quality improvement purposes for up to 30 days. You have the right to object to AI-assisted processing and instead request handling by our staff.
On our website, we operate our own AI-assisted chatbot ("Kora"). This uses the automation platform Make (EU servers) and the AI service Claude by Anthropic to process your enquiries. When using the chatbot, you will be informed in advance about the AI processing and asked for your consent. Without your consent, no AI-assisted processing takes place. You may leave the chatbot at any time and contact us alternatively by phone, WhatsApp or email.
If we are not available by phone (e.g. outside business hours, on weekends, or when otherwise unavailable), incoming calls are answered by an AI-assisted phone assistant. The phone assistant is operated via Sipgate (sipgate GmbH, Düsseldorf, Germany). Sipgate uses the OpenAI (ChatGPT) service for its AI functions. According to Sipgate, data processing takes place exclusively in Europe; customer data is deleted immediately after processing and may not be used by OpenAI for training purposes. You will be informed at the start of the call that you are speaking with an AI assistant. The following data is processed:
The call data is processed and stored by Sipgate and forwarded to CoStore and stored in our CRM system (Twenty). Processing takes place on the basis of our legitimate interest in continuous availability and efficient customer support (Art. 6(1)(f) GDPR). Further information: sipgate.de/datenschutz
Notice for email contact: When you contact us by email, your messages may be processed by AI-assisted systems. Details below.
Incoming emails (e.g. to our contact addresses) are automatically analysed and pre-processed by AI systems. The AI can categorise enquiries, extract relevant information, and create response suggestions or partially answer enquiries in an automated manner. Processing takes place via Make (EU servers) and the AI services ChatGPT (OpenAI) or Claude (Anthropic). All email data is additionally stored in our CRM system (Twenty). Processing takes place on the basis of our legitimate interest in efficient customer support (Art. 6(1)(f) GDPR). You have the right at any time to object to AI-assisted processing and to request that your enquiry be handled exclusively by a person.
Service enquiries are generally stored for up to 12 months after processing and then deleted, unless statutory retention periods apply. AI-processed messages are generally deleted by the AI service providers no later than 30 days.
We offer newsletter services to provide regular information about products, services and offers.
For registration to our newsletter, we use the double-opt-in procedure:
You may unsubscribe from the newsletter at any time via an unsubscribe link in every email or by directly contacting us.
We use the email marketing service provider Klaviyo for dispatch. Your data is processed exclusively on our behalf. Further information: https://www.klaviyo.com/legal. Klaviyo acts as a processor pursuant to Art. 28 GDPR.
We store your email address and preferences for as long as you are subscribed. After unsubscribing, the data is generally deleted within 30 days.
To manage our customer relationships and centrally store communication data, we use the CRM system Twenty in its cloud version.
Twenty is operated as a cloud service. Data is hosted on servers of Amazon Web Services (AWS) in the USA. The data transfer to the USA takes place on the basis of standard contractual clauses pursuant to Art. 46(2)(c) GDPR and, where applicable, the EU-US Data Privacy Framework. Further information: https://twenty.com/legal/privacy
Processing takes place on the basis of our legitimate interest in efficient customer management (Art. 6(1)(f) GDPR) and for contract performance (Art. 6(1)(b) GDPR).
Customer data is stored in Twenty for as long as the business relationship exists or statutory retention periods apply. After the purpose of processing has ceased, the data is deleted or anonymised.
As part of the use of our storage spaces and access to our locations, we process personal data for access control, security and surveillance:
Our locations are equipped with open video surveillance. Video surveillance takes place in particular:
Video recordings are generally stored for a maximum of 14 days and then automatically deleted, unless security-relevant incidents require longer storage.
For increased security, we work with external security service providers who monitor video surveillance in real time outside our business hours (22:00–08:00).
Video surveillance is indicated by notices at the locations. You have the right to request information about stored recordings or to object to processing.
As part of our corporate communication, we process personal data for the documentation of events, press work, and digital media presence:
Recordings may be published on the CoStore website, social media (LinkedIn, Facebook, Instagram) and in print or online publications. If you do not wish recordings to be published, you may object at any time.
We process personal data to assert, exercise or defend legal claims:
Insofar as legally permissible or with your consent, we process data for promotional communication, customer satisfaction surveys, promotions and competitions.
We are subject to statutory obligations to process and retain personal data, e.g. under the German Commercial Code (HGB) and the German Fiscal Code (Abgabenordnung).
Data processing as part of quality management, to improve customer satisfaction, to further develop products and services, and to improve IT security.
For the technical provision and security of our website, we use the following service providers:
| Service | Purpose | Privacy notices |
|---|---|---|
| Amazon Web Services (AWS) | Hosting and cloud services | aws.amazon.com/privacy |
| Webflow | Web design and hosting platform | webflow.com/legal/privacy |
| Stripe / Stripe Identity | Payment service provider (incl. fraud prevention) and identity verification upon contract conclusion | stripe.com/de/privacy |
| Wunderkopf Technologies (Creditscore API) | Credit check after contract conclusion | wunderkopf.technology/terms/datenschutz |
| Kinnovis | Booking and contract management platform | kinnovis.com/privacy-policy |
| CookieYes | Cookie consent management (GDPR) | cookieyes.com/privacy-policy |
| Cloudflare | Security and performance service (DDoS protection, CDN) | cloudflare.com/privacypolicy |
| Amazon CloudFront | Content Delivery Network (CDN) | aws.amazon.com/cloudfront |
| Google Maps | Map service for location display, navigation and location analyses | policies.google.com/privacy |
| OpenStreetMap | Map service for location analyses and partner properties (IP address is transmitted) | osmfoundation.org/Privacy_Policy |
| Google Fonts | Provision of fonts (IP addresses may be processed) | fonts.google.com/about |
| jsDelivr | Provision of icons and libraries | jsdelivr.com/privacy-policy |
| Unpkg | Provision of static files | unpkg.com |
| Sipgate (Satellite / AI Agents) | Online telephony for taking calls and AI-assisted phone assistant when unavailable (uses OpenAI/ChatGPT, data processing in the EU) | sipgate.de/datenschutz |
| ClickSend | Dispatch of SMS notifications (telephone number and message content) | clicksend.com/privacy-policy |
| Microsoft Outlook / Microsoft 365 | Email communication and calendar management (cloud) | privacy.microsoft.com |
| Supabase | Cloud database for storing customer data, consents and communication histories. Data is hosted on AWS servers. | supabase.com/privacy |
| Hetzner | Server hosting for the receipt and short-term processing of SMS for gate opening at our locations. Only the telephone number is processed and stored briefly. Servers are located in Germany. | hetzner.com/legal/privacy-policy |
| Service | Purpose | Privacy notices |
|---|---|---|
| Google Analytics | Web analytics (IP anonymisation enabled) | policies.google.com |
| Microsoft Clarity | Web analytics tool for evaluating user behaviour on our website using heatmaps, session recordings and analytics metrics. Data collected includes clicks, mouse movements, scrolling behaviour, page views, IP address (anonymised), browser and device information. Data is processed on servers of Microsoft (Azure). Processing takes place exclusively on the basis of your consent (Art. 6(1)(a) GDPR), which you provide via our cookie banner and may withdraw at any time. | privacy.microsoft.com |
| Google Tag Manager | Management of marketing and tracking tags | policies.google.com |
| Google Ads Remarketing | Interest-based advertising | policies.google.com/technologies/ads |
| Facebook plugin | Integration of Facebook functions | facebook.com/about/privacy |
| Facebook Remarketing | Personalised advertising (Custom Audiences) | facebook.com/about/privacy |
| Facebook Lead Ads | Collection of user enquiries via Facebook advertising forms | facebook.com/about/privacy |
| Klaviyo | Email marketing for newsletter and communication | klaviyo.com/legal/privacy-policy |
| Microsoft Booking Tool | Online appointment booking | privacy.microsoft.com |
| Microsoft Forms | Online forms for customer enquiries and feedback | privacy.microsoft.com |
| WhatsApp Business | Customer communication (GDPR-compliant) | whatsapp.com/legal |
| Get Moving Digital | External marketing agency for Google Ads, Meta Ads and SEO. Operates its own leads portal in which enquiry data (name, contact details, enquiry source) is stored and managed. | get-moving.co.uk |
| Google Customer Reviews (Google Places API) | Display of Google reviews on our website via our own integration via the Google Places API. Reviews published publicly on Google (including the reviewer's name, review text and star rating) are displayed on our website. When the page is loaded, data (including IP address) is also transmitted to Google. The display takes place on the basis of our legitimate interest in presenting customer opinions (Art. 6(1)(f) GDPR). Reviews are publicly available on Google; we do not collect any additional data. | policies.google.com/privacy |
In the course of our business activities, personal data may be transferred to countries outside the EU/EEA, in particular to the USA. This includes, among others:
The transfer takes place on the basis of adequacy decisions of the EU Commission, standard contractual clauses pursuant to Art. 46(2)(c) GDPR, and/or the EU-US Data Privacy Framework.
When passing on data to service providers, we ensure compliance with data protection requirements (data processing agreements, standard contractual clauses).
We store personal data only for as long as is necessary. The following periods apply:
If deletion is not possible, processing will be restricted.
We use technical and organisational measures:
When using third-party services (social media, cloud services, AI services), additional security risks may exist.
For all questions regarding the processing of personal data:
Marcel Philipp Lang
Email: datenschutz@costore.de
Last updated: 20 May 2026
Um dir einen der günstigsten Preise bieten zu können, setzen wir auf KI. Möchtest du lieber einen Mitarbeiter? Ruf uns an, schreib uns auf WhatsApp oder vereinbare einen Rückruf.
ℹ️ Mit der Nutzung dieses Chats stimmst du der Verarbeitung deiner Eingaben durch KI zu. Mehr dazu in unserer Datenschutzerklärung.
