Privacy & Security

One is yours - let it stay that way.

Privacy and security

Your data belongs to you! - it should stay that way

During StampLab development and with every update, we keep the privacy and security of your data in mind!

Your trust is important to us, which is why we process all your data ourselves and do not give or sell it to third parties. If we have to give data to third parties, for example to offer you the possibility of a social login, we try to give as little data as possible.

Abgehakt Icon

Your data is yours!

Your information is your property and our team at l3montree is committed to protecting it. As long as we hold your data, we will do our best to protect it and make it accessible only to you.

We process your data, as a processor, only in the context of providing our software, services and on your instructions. We do not share, sell, or use your data for any purpose other than as described below.

As our customer, you are a data subject within the meaning of the GDPR - you are therefore responsible for protecting your data subject rights.

Abgehakt Icon

Authorization system

We have built a permission system into StampLab that is based on role types and individual permissions. So you can define which employees can see which data according to your own concept.

The default settings are always data protection friendly and meet your requirements and those of the DSGVO. In concrete terms, this means, for example, that when employees join your workplace, they cannot view any data except their own. Then, when they are assigned a role, they can only see information intended for that role.

The settings for even more sensitive access to data can be assigned in detail with individual permissions. Like for example the number of working hours of employees.

Abgehakt Icon

Access to your data

Only in case of errors in our systems, where access to your data is unavoidable, members of our team may access your data. We take care that our employees cannot see more of your data than is absolutely necessary.

In the case of support requests (on your part), you must first give us specific and unambiguous permission to process the request with your data. The processing is carried out internally only according to the "need-to-know principle".

Abgehakt Icon


In principle, no logging of your entries takes place when using our systems and no profiling is carried out.

However, we do log the basic requests to our systems if these cannot be assigned to an average access. This means that accesses that do not represent normal use of our service can be stored longer by us for reasons of security.

Abgehakt Icon

Server in Germany

The servers on which your data is stored and processed by us are located in Germany. Our provider exclusively provides the hardware for the servers and ensures highly secure conditions in its data centers. The data centres are ISO 27001 certified, TÜV level 3 audited and PCI DSS compliant.

Abgehakt Icon

A bit of technical stuff

Protected transmission of your data

When data is sent from your device to our servers, it is protected with transport encryption (TLS/SSL) so that no one else can read it. Our servers support the latest variants and ciphersuites of these protocols.

Password protection

When you create your account in StampLab with a password, we use so-called "hashing" to store your password in a protected way. Hashing is a cryptographic method that uses a one-way principle to change your input in such a way that your original input cannot be calculated. Even in case of data theft, your password is protected. We also strengthen the effectiveness of hashing by using so-called "salt".

Abgehakt Icon

When you leave StampLab

If at any time you no longer need or want to use our services, you can of course request an export of all data stored about you. We will then send you all your data in common formats.

This query of all your data, as well as the deletion, correction and your other rights under the GDPR, you can of course request at any time. An informal email to us is sufficient for this.

When our journey together ends, we will immediately delete all your data from our systems.

Our backups are deleted according to certain patterns, so it may take some time (maximum 3 months) until your data is completely deleted.

Documents on data protection and IT security

Here you will find the most important documents on data protection and IT security in StampLab and at l3montree:

Privacy policy for the StampLab app

General information

Protecting your personal data when using our app is important to us. Here you can find out what data is collected and used. This privacy policy informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") within our app and its associated services, functions and content.

Personal data is any data with which you can be personally identified. With regard to the terminology used, such as "processing" or "controller", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).


We cannot accept any liability for links to third-party content or third-party services.

Contact details of the responsible party

The provider of the application and responsible under data protection law is:

l3montree UG (limited liability). Managing Director: Tim Bastin & Sebastian Kawelke In der Grächt 27 53127 Bonn Germany

You can reach our data protection officer at the following e-mail address:

Statutory data protection officer

Sebastian Kawelke In der Grächt 27, 53217 Bonn Germany

Data collection when using our app

When using our app, data inevitably accumulates that must be stored or processed in order to be able to offer the basic functions of the app at all. An analysis of your user behavior for advertising purposes does not take place.

If we collect data, this is so-called usage, meta and communication data. Basically, when you use our app (e.g. open it without having registered), there is data that our IT systems have to process automatically (e.g. IP address and port of the connection). These mainly technical data are processed by us only during the connection, but in principle not stored for a long time.

In the following, we explain which data we collect, process and possibly also store for a longer period of time.

Types of data collected - overview:
  • Inventory data (e.g. name)
  • Contact data (e.g. e-mail)
  • Content data (e.g. text entries, profile pictures, plans)
  • Meta/communication data (e.g., IP address, device information).
Reasons for collection - Overview:
  • Provision of our offer, functions and content.
  • Responding to contact requests and communicating with users.
  • Security measures
  • Improvement of our offers

Indirect data collection (server logs)

In addition to this data processed in normal operation, our servers may collect and store so-called server log files. However, only accesses that are not legitimate, i.e. do not represent a normal use of our service, are stored longer. This is done to avert danger and to ensure the IT security of our systems.

**Specifically, such data could be: **

  • operating system used
  • app version used
  • date and time of the server request
  • IPv4 address and subnet, IPv6 address and prefix

A combination of this data with other data sources is not made.

The collection of this technical data is absolutely necessary for the provision of our app and for the operation of the offer, so that you as a user have no possibility to object. Of course, this does not affect your right of inspection as well as deletion (see "Your rights").

The legal basis for the collection of this data and its storage in log files is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest here is to ensure the smooth operation of our offer to provide you with a good experience with our product.

Collection of personal data when using our app.

In addition to the technical data mentioned above, we collect so-called inventory, content and contact data. This data includes all data that you generate and store yourself as a user with us. For example, your email address when registering or the data representing your input (such as layers, roles, etc.).

When using our offer with an account (when registering an account and continuing to use our app), the following data is collected by us:

  • Your name
  • Your email address
  • Your profile picture
  • Your affiliation to a workplace
  • Your roles in your workplace (e.g. service worker)
  • Your shifts
  • The times you have entered in the time sheet
  • Your surveys
  • Your tasks
  • The work plans you have created (with descriptions)
  • Your settings
  • The version of the app you use and your device IDs (e.g. for push messages)
  • IDs of your social account if you use the social login feature
  • Your payment method (if you're using a paid plan)
  • Your address (if you use a paid plan)
  • Your company name (if you use a paid plan)
  • Your tax number (if you use a paid plan)
  • Your paid plan (if you use a paid plan)
  • Your payment status (if you use a paid plan)

We only use this data to provide our service. We do not use this data for any other purpose. Most importantly, it will not be used for advertising or similar purposes.

In principle, all data that is no longer necessary for our task fulfillment is deleted at regular intervals.

The basis for data processing is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

Push - notifications

If you want to agree to the option of receiving so-called push - notifications, you must give us permission to do so (request by the operating system during initial installation). Notifications can be subsequently enabled or disabled in the app settings. We use the services Firebase Cloud Messaging from Google (for Android) and Apple Push Notifications (for iOS) for push notifications. In order to deliver the notifications correctly, Apple and Firebase generate keys, which consist of the identifier of your device and the identifier of the app. These are stored with us and linked to your individual notification settings. Firebase and Apple always act as intermediaries, but do not receive any information about the content of the requests or notifications.

We store and process this data only to be able to offer you the benefits of push notifications. We cite Art. 6 (1) lit. f DSGVO and Art. 6 (1) lit. b DSGVO as the legal basis here.

Social Log In

Our app offers you the option of a so-called social log in. If you use this function, we receive from the provider of the social network, for example, profile information, such as your name or the e-mail address specified there. We use this data exclusively for the provision of our offer.

In order to use this function, you must establish a connection with the social network. In the process, other personal data of yours may also be transmitted to the provider of the network, such as your current IP address.

More detailed and further information on the purpose, scope, type and use of your data by the operator of the social network can be found in the individual privacy statements of the providers.



We store and process this data only to be able to offer you the benefits of the social log in. As a legal basis, we cite here Art. 6 para. 1 lit. f DSGVO and Art. 6 para. 1 lit. b DSGVO.

Code Push

In order to provide you with technically necessary updates as quickly as possible, e.g. if a basic functionality of the app should not work or there is a security problem, we use the Code Push service from Microsoft. This will automatically update your app in the background and you can use the app as usual. To use this service we need to send your device ID and the version of the app to Microsoft. We do not pass on other data such as your e-mail address. Information about the purpose, scope, nature and use of your data by the operator of the service can be found at the following address:


We only share this data with this third party in order to offer you a good experience with our product and to ensure a smooth operation. As legal basis we cite here Art. 6 para. 1 lit. f DSGVO and Art. 6 para. 1 lit. b DSGVO.

Usage and diagnostic data

If you have agreed to the collection and transmission of usage and diagnostic data such as crash reports, certain data will be sent to Apple or Google. We receive this data in anonymized and aggregated form, making it impossible for us to identify individuals.

We only use this data to improve our app, features and services.

Apple: Information collected may include details about hardware, operating system, speed statistics, and device and app usage (Apple Privacy). Apple's collection of usage and diagnostic data applies device-wide. You can turn it off at any time: Apple Support

Google: Google collects information such as battery level, how often you use your apps, and the quality and duration of your network connections (cellular, Wi-Fi, and Bluetooth). The setting whether you want to send usage and diagnostic data to Google applies device-wide. You can change it at any time: Google Support

In addition to the collection of diagnostic data by Google or Apple, we use the Sentry service - we run this ourselves on our servers (no data is sent to Sentry). Sentry is a service that helps us to detect serious and critical errors in the app (e.g. errors that cause an app crash). For this purpose, your device may send error messages in the background to our Sentry instance. We use these error messages exclusively to improve the app. These error messages contain data that could possibly be associated with you, such as your app version, information about your device (e.g. Android version) and a unique anonymized ID (usage data such as your name or your registered times are not transmitted under any circumstances). Before a message is sent, we remove your email address and your IP address from the message.

We collect this data only to offer you a good experience with our product and to ensure a smooth operation. As a legal basis we cite here Art. 6 para. 1 lit. a DSGVO and Art. 6 para. 1 lit. b DSGVO.

Collection of further data when visiting

In addition to the above data, we collect other data when you visit our web version ( We use the service Umami, an open-source analytics application, to collect data about the behaviour of our users. We run our own instance of this service on our own servers - so no data is passed to third parties. We may collect the following data:

  • the browser used (e.g. Google Chrome)
  • the type of device (e.g. laptop or mobile)
  • the screen resolution
  • the language used
  • the operating system (e.g. Android)
  • an anonymous session ID (to avoid duplicating your website visit)
  • which URLs you visit (which subpages)
  • from which URL you came to our website (referrer)
  • how long you were on our site

We collect this data in order to be able to improve our website and to offer you a good experience when visiting it, as well as to be able to guarantee smooth operation. We cite Art. 6 Para. 1 lit. f DSGVO as the legal basis for this.

Payment transactions

In order to use StampLab, you may need a paid subscription. As part of taking out such a subscription, we use various payment service providers to offer you different payment methods. We use the following service providers:

The basis for data processing is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the performance of a contract or pre-contractual measures.

If you enter into a business relationship with us by making payment transactions, we are required by various legal requirements, for example, to store invoices for 10 years (Art. 6 para. 1 lit. c DSGVO allows us this storage to fulfill our obligations to government agencies such as the tax office). We would like to point out that in such a case it is not possible for us to delete all your data, e.g. upon your request. All data that does not fall under such retention periods, we delete of course immediately upon your request.

Contact by e-mail

When contacting us, e.g. by e-mail, we collect your contact data until the reason for the contact loses its relevance and e.g. a reply from our side is no longer necessary. Of course, this does not affect your right of access and deletion (see "Your rights"). When contacting us by e-mail, it should be noted that the confidentiality of e-mails or other electronic forms of communication on the Internet is generally not guaranteed. For confidential information, we recommend contacting us in encrypted form ( or by mail.

How we protect your data

This app uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests you send to our server. This method is implemented for all communication between the app and our servers.

When TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

In addition to encryption during transmission, we also protect your data on our servers, within the framework of current procedures.

Furthermore, our employees are also obligated to maintain the confidentiality of your data.

Even if we use all available security mechanisms, we point out that data transmission on the Internet can have security gaps. A complete protection of data against access by third parties is not possible.

If you create your account in StampLab with a password, we use so-called "hashing" to store your password in a protected manner. Hashing is a cryptographic process that uses a one-way principle to change your input in such a way that your original input cannot be calculated. Even in case of data theft, your password is protected. We also strengthen the effectiveness of hashing by using so-called "salt".

Your rights

Revocation of your consent to data processing

By using our offer, you agree to the processing of the data collected for the provision of the offer. There is no direct possibility for you to object. However, you can of course request the deletion of all data.

Many data processing operations are only possible with your express consent. You can revoke your consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right of appeal to the competent supervisory authority

In the event of violations of data protection law, the data subject has a right of appeal to the competent supervisory authority. The competent supervisory authority in matters of data protection law is the state data protection commissioner of the federal state in which our company is based. A list of data protection officers and their contact details can be found in the following link.

Right to data portability

You have the right to have data that we process on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

Information, blocking, deletion and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction, blocking or deletion of this data. For this and other questions on the subject of personal data, you can contact us at any time at the address given in the imprint.

You can request a data export in the app as well as the deletion of your account.

Further information

Criteria for determining storage periods

Your personal data will be stored by us until the contractual relationship is finally terminated, no further mutual claims can arise from it and also the statutory or internal retention periods have expired.