Data Privacy

We are firmly committed to protecting the privacy and security of your data. Therefore, we have designed our website and business processes with the aim of collecting and processing as little personal data as possible. This privacy policy explains which information we record during your visit to our website and our cloud platform and for which purposes and how this information is used.

This privacy policy was last updated in August 2023.

1. Controller / scope of this privacy policy

We” or “us” in this privacy policy refers to VERSO GmbH, Agnes-Pockelsbogen 1, 80992 Munich, Germany and specifically to sustainabill branded products and services.

This privacy policy applies to the processing of personal data collected via our websites under and and we are the controller in this regard.

For any question regarding data protection, you can reach us at:

2. Data provided by you

2.1 When contacting us or signing up to our email newsletter

If you provide data via the contact form, we will use this data only to comply with your request (legal ground may be Art. 6 Sec. 1 Clause 1 (a), (b) or (f) of the European General Data Protection Regulation, “GDPR“).

If you subscribe to our newsletter, we will store the given contact details for the purpose of delivering the newsletter (legal ground is Art. 6 Sec. 1 Clause 1 (a) or (b) GDPR). You will remain registered to receive the newsletter until you opt out. Each newsletter includes a link enabling you to opt out from the newsletter subscription. You may further opt out at any time with effect for the future by letting us know you wish to object or to withdraw your consent (see Sec. 8 below). If you opt out we will delete your data, unless we are entitled or obliged to further retain your data.

2.2 When using the sustainabill platform under


When you register your organization with us (i.e., the sustainabill platform, available under, you must agree to our License Agreement and Terms of Use. Besides, we need information to set up and manage your organization’s account. This information is provided by you and includes, for example, your name, the name of your organization, your email address and password as well as (further) contact and payment details. We process this information to enter into and fulfil the agreement with your organization and reply to your requests (Art. 6 Sec. 1 Clause 1 (b), (c) and (f) GDPR). Particularly your email address will be used for log-in access to your account and to inform you about updates in the sustainabill platform which are relevant for the performance of the agreement with your organization (Art. 6 Sec. 1 Clause 1 (b) and (f) GDPR).


When you use the sustainabill platform, we process information about you in our role as data processor on behalf of your organization in its role as data controller, i.e. we process your personal data to the extent necessary for the performance of the agreement with your organization (Art. 6 Sec. 1 Clause 1 (b) and (f) GDPR). Such personal data may include information entered by you when you log into your account (for example, your name and email address), contents of correspondence with you as well as your usage of the sustainabill platform, including the contents of the correspondence between yourself and others. Your organization is responsible for the processing of your personal data in the sustainabill platform. It may, for example, grant or withdraw access to a feature, access, analyse, modify, export, share and/or remove the data in the sustainabill platform and/or otherwise apply its policies to it. Please refer to your organization for further details.


Customers may invite suppliers to the sustainabill platform which are not yet registered with us. If you are a supplier contact, you may receive such invitation. Alternatively, customers may ask you to allow them to share your data (address of your organizations as well as your contact details) on the sustainabill platform. For these purposes, VERSO acts as a data processor of the respective customer in the sense of Art. 4 Sec. 8, 28 GDPR. If VERSO intends to process your personal data beyond its role as the customer’s data processor, VERSO will inform you accordingly and will obtain your consent (Art. 6 Sec. 1 Clause 1 (a) GDPR) to such processing, if necessary.

3. Data collected from you when you use our online services

3.1 Logfiles

Each time you visit our websites under or our cloud platform under, our web servers automatically process standardised information in a log file. This information includes but is not limited to the IP address and your internet access provider, the specific address of the visited web pages, possibly the web page from which you were directed to us (link source), the version and type of the web browser used, the operating system of your device, as well as the date and time of page requests. We partly require this information for technical reasons, i.e. in order to be able to display our website and ensure stability. In addition, we store IP addresses in log files to be able to pursue our rights and restore IT security in case of an attack against our IT (our legitimate interest; Art. 6 Sec. 1 Clause 1 (f) GDPR). For this reason, such data will be held for 14 days. We will not use this information for purposes other than those. We do not share this information with third parties. With the exception of your IP address, it is not possible for us to connect the log files information to you as a person. We only use IP addresses in log files for identification of users in case of an attack.

3.2 Tracking and technical control with cookies

We use cookies on our websites under A cookie is a small piece of data (usually a code or a small image file) send from our websites and stored on your device by your web browser while you are browsing. It allows recognition of your device when you are browsing on our websites. You may block and delete cookies via the settings of your web browser or choose settings to indicate when a cookie is being sent. Furthermore, when you visit our websites, a cookie banner will inform you about our usage of cookies and enable you to agree to or block them.

  • Statistical Analysis – Tracking: When you use our websites under or cloud platform under, we analyze anonymized usage data logged by our servers. We create statistical analysis required for the qualitative improvement of the cloud platform (our legitimate interest; legal ground is Art. 6 Sec. 1 Clause 1 (f) GDPR). For this, we only processes a shortened version of your IP address and further technical data. It is not possible to identify you as a person from this information and the tracking is limited to the activities on and

  • Our website uses the LinkedIn Insight Tag for conversion tracking of our advertising campaigns. This stores a cookie to identify clicks and conversion measurements of our LinkedIn ads. The information is transferred to LinkedIn’s servers and is not shared with third parties. You can prevent this by setting your browser so that no cookies are stored

    In addition, we use Google Analytics integrated via the Goolge Tag Manager on our website to collect information such as your anonymized IP address, device type and operating system, referring URLs, locations and pages visited. If you do not want Google Analytics to be used in your browser, you can install the “Google Analytics Opt-Out Browser Add-On”, provided by Google.

    sustainabill Platform
    Bespoke analytics (all analytics data is stored on Open Telekom Cloud in Germany as securely as our platform data)
    Google Analytics via Google Tag Manager
    LinkedIn Insight Tag
    Table: Analytics tools in use; see Annex 1 (Subcontractors and Service Providers) for additional details.
    • Technical Control: We further use cookies to enhance and simplify the navigation through the websites, i.e. we use cookies which are technically required in order to ensure smooth operation of our websites (legal ground is Art. 6 Sec. 1 Clause 1 (f) GDPR). These cookies will be deleted automatically after 13 Months. Examples for such Cookies are the preferred language of the visitor. By setting a cookie we make sure that the user does not have to select their preferred language every time they visit our website.
    3.3 Maps and Address Resolution (Mapbox Incorporated)

    The sustainabill platform utilizes map services provided by Mapbox Incorporated, (short “Mapbox”). If you are using our cloud platform, VERSO transfers your organization’s address or GPS coordinates to Mapbox. In addition, when you access those parts of the platform which provide a map, your internet browser or application will connect to servers operated by Mapbox located in the United States of America. In order for the map to be displayed, your IP address will be forwarded to Mapbox and a session cookie (i.e. a temporary cookie which allows Mapbox to link the actions of a user during a browser session) may be set. The use of the aforementioned tools is based on Art. 6 Sec. 1 Clause 1 (f) GDPR: the data processing is done to improve the user-friendliness on the sustainabill platform and is in the interest of an appealing presentation of our services. It is therefore in our legitimate interest. VERSO has no control over such connections and processing of the aforementioned data by Mapbox. You can find more information on the processing of user data by Mapbox under the following link: To prevent all of the connections and processing described above, use the settings feature in your sustainabill platform profile and turn off displaying maps. See Annex 1 (Subcontractors and Service Providers), [2] for additional details.

    3.4 Signing up to our newsletter and inviting suppliers (Mailjet SAS)

    The sustainabill platform and the sustainabill website uses emails to communicate with you or your suppliers. To make sure that emails are delivered we use the technology of Mailjet SAS. This use of is based on Art. 6 Sec. 1 Clause 1 (f) GDPR: It is in our legitimate interest that emails are delivered and any problems with delivery (such as typing errors in email addresses or misuse) can immediately be identified and rectified. Mailjet will process any email address entered in the sustainabill platform or the sustainabill website to make sure that the email can be delivered. You can find more information on the processing of this data by Mailjet SAS under the following link: See Annex 1 (Subcontractors and Service Providers), [3] for additional details.

    3.5 Requesting support (e.g. via

    Whenever a email is sent to the aforementioned address this email is processed by our partner freshworks and stored in the ticketing system freshdesk. We use freshdesk to process your issues efficiently and make sure that our support agents can give you the best possible user experience when resolving your issues. All freshdesk data is stored securely in the EU.

    3.6 CAPTCHA

    On some forms on our website we add a Google Captcha to ascertain that the forms are likely filled by humans. This helps us to reduce the amount of spam and marketing emails send via our website.

    4. Retention periods

    Unless specified otherwise in the above, we delete your personal data when the contract between your organization and us ended, all claims have been met and we are neither obliged to further store your data (for example, due to statutory retention obligations) nor entitled to further store your data (for example, based upon consent).

    5. Disclosure and transfer of personal data

    We do not disclose or otherwise transfer your personal data to any third party without your prior consent except in the following situations:

    5.1    We use third party IT providers in order to provide our services. Such providers act as our processors within the meaning of Art. 28 GDPR. Amongst others, we use the Telekom Deutschland GmbH’s Open Telekom Cloud to store and process all customer data. Telekom Deutschland GmbH itself stores and processes all data in Germany. Your data will leave the borders of Germany under no circumstances. See Annex 1 (Subcontractors and Service Providers), [1] for additional details.

    5.2    We use services of third parties which are as such not part of our contractual services but still necessary in order to enter into or perform the contracts with our customers or to pursue claims or to defend against claims (our legitimate interests) and which require a disclosure/transfer of the data. Such third parties include advisors (in particular tax and legal advisors), providers of logistics and postal services, payment and claims management providers, courts and public authorities. In such case, the legal ground for disclosure/transfer is Art. 6 Sec. 1 Clause 1 (b), (c) or (f) GDPR.

    5.3    The disclosure/transfer is necessary for compliance with a legal obligation to which we are subject (Art. 6 Sec. 1 Clause 1 (c) GDPR).

    6. Security

    To protect your personal data against unauthorized access, loss and misuse, we have taken extensive technical and operational security precautions. Our security procedures are regularly reviewed and adapted to technological progress. Our employees are under obligation to maintain confidentiality.

    7. Changes to the privacy policy

    We will conduct appropriate reviews of this privacy policy and will work to continuously improve it and revise it as necessary. Any changes made to the policy will be disclosed directly to users and/or posted on our websites.

    8. Your rights

    8.1    Right to access the personal data we process about you
    8.2    Right to rectification of your personal data
    8.3    Right to erasure (“right to be forgotten”)
    8.4    Right to restriction of processing
    8.5    Right to data portability

    8.6    Right to object: you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interest, including profiling based on this. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to such processing, which includes profiling to the extent that it is related to such direct marketing.

    8.7    To the extent we process your personal data based on your consent, you may withdraw such consent at any time. In such case, we shall no longer process the personal data, unless we are obliged or entitled to further process the personal data based on another legal ground.

    8.8    Furthermore, you have the right to lodge a complaint with a supervisory authority. A list of supervisory authorities in Germany and their contact details you may find under the following link:

    9. Further details

    Please do not hesitate to contact us if you have any further questions, for example concerning the personal data recorded. You may use the following email:

    Annex 1 (Subcontractors and Service Providers)

    Type of ServiceReason for Service/
    Adequacy Decision / Appropriate Safeguards
    Telekom Deutschland GmbH
    Landgrabenweg 151
    53227 Bonn
    GermanyInfrastructure and data storage
    (Platform only)
    All sustainabill platform data is stored with OTC in Germany. No platform data will ever be transferred to a third country.
    Microsoft Corporation
    One Microsoft Way
    Redmond, WA 98052

    *other servers in the European Union may be used
    Emails and data storage
    (Platform and website)
    We use Office 365 to send and receive emails, make video calls, and store internal as well as customer data which is not processed in the sustainabill platform (e.g., data to be imported, bespoke customer projects). Office 365 is fully GDPR compliant.
    Raidboxes GmbH
    Hafenstraße 32
    48153 Münster
    (Website only)
    Our website is hosted with Raidboxes GmbH in Germany. This includes data such as IP connections of clients and email adresses of newsletter subscribers.
    Pipedrive OÜ
    Mustamäe tee 3a
    10615 Tallinn
    (Website forms)
    We use Pipedrive for customer care. Pipedrive ensures an adequate level of data protection, for example, by Implementing standard data protection clauses issued by the European Commission for the transfer of personal data (Art. 46 GDPR).
    Mailjet SAS
    13-13 bis, rue de l’Aubrac – 75012 Paris, France
    Ireland, Belgium, GermanyOutgoing emails
    (Platform and website)
    We use Mailjet to send outgoing emails, e.g. to invite new platform users or to sent newsletters. Mailjet is a GDPR Compliant subprocessor located in the European union. The Mailjet SAS Privacy Policy can be found at:
    Freshworks GmbH
    Freshworks Inc.
    2950 S. Delaware Street 
    Suite 201
    San Mateo, CA 94403 
    European Economic AreaSupport workflows. Incoming and outgoing emails
    to support mailboxes
    (Support only)
    We use Freshworks’ Freshdesk to improve the customer experience when customers engage with our support team. Freshdesk supports us to answer customer requests timely and to make sure our support agents are always informed about the status of all open support requests.
    Mapbox, Incorporated
    5th Floor 740 15th Street Northwest Washington, DC 20005
    (Communication to Mapbox inc. can be disabled in the sustainabill settings)
    United States of America, GDPR CompliantMaps and Geolocation
    (Platform only)
    The sustainabill platform uses Mapbox to make it convenient for users to search for addresses and display supplier locations on a map.
    To enable address searches, we send transfer queries (e.g. “Mediapark 5, Cologne”) to Mapbox.
    To display a map in the sustainabill plattform, we have to transfer the users IP address to mapbox as a technical necessity.
    We employ the “need to know” principle, that is
    no additional personal or company data is transferred. The Mapbox Privacy Policy can be found at:
    Google Inc.
    1600 Amphitheatre Parkway Mountain View, CA 94043, USA.
    United States of America, GDPR CompliantAnalytics
    (Website only)
    Google Analytics is integrated via the Goolge Tag Manager to analyze and improve the performance of our website as well as understand how we can improve our services. Google CAPTCHA is used to protect us from spam.
    For both services all technical measures have been taken to transfer only anonymized data to Google Inc. wherever possible.
    LinkedIn Ireland
    Unlimited Company,
    Wilton Plaza, Wilton Place, Dublin 2, Ireland
    United States of America, GDPR CompliantConversion Tracking and Retargeting (Website only)Our website uses the LinkedIn Insight Tag for conversion tracking of our advertising campaigns. A cookie is stored to identify clicks and conversion measurements of our LinkedIn ads. The information is transferred to LinkedIn’s servers and not shared with third parties. You can prevent this by setting your browser to not store cookies.