SOS-ID GmbH · As of: February 2026
The protection of your personal data is of utmost importance to us. We process your data exclusively on the basis of the General Data Protection Regulation (GDPR) and the German Telecommunications and Digital Services Data Protection Act (TDDDG).
1. Data Controller under the GDPR
Company: SOS-ID GmbH
Address: Cassellastrasse 30–32, 60386 Frankfurt am Main, Germany
Email: info@id-no.com
Represented by: Management
ID-No.com is the technical platform for using SOS-ID products. The operator and data controller within the meaning of the GDPR is SOS-ID GmbH. It determines the purposes and means of data processing and fulfils all data protection obligations. Users have no contractual or liability relationship with any other entity.
2. Data Protection Officer
Company: DataGAP GmbH
Address: Bessemerstraße 51, 1st Floor, 12103 Berlin
Email: info@datagap.de
3. Hosting, Server Location & Retention Periods
ID-No.com is operated exclusively on secured servers located in Germany. All processing of personal data takes place entirely within the European Union. No transfer to third countries takes place.
Contract & billing data: Statutory retention periods apply
Customer account: Until deletion by the user
Emergency & health data: Deletable by the user at any time
Once the purpose has ceased or statutory retention periods have expired, data will be deleted or anonymised.
3.1 Termination & Data Deletion
Users may request the deletion of their account at any time by emailing datenschutz@id-no.com. All data not subject to statutory retention obligations will be irrevocably deleted or anonymised within 30 days. Health and emergency data will be removed immediately upon account closure – restoration is not possible thereafter. Data subject to statutory retention requirements (e.g. invoices pursuant to § 147 of the German Fiscal Code) will be blocked until the relevant period expires and then deleted.
3.2 Use of Data Processors
To provide our services, we engage external service providers (e.g. hosting, payment processing, email delivery, IT services). These providers process personal data exclusively on the basis of data processing agreements pursuant to Art. 28 GDPR and only in accordance with our instructions.
4. Data Processing When Visiting the Website
When you access our website, the following data is processed automatically:
Purpose: Ensuring stable operation, defending against security incidents, preventing misuse
Legal basis: Art. 6(1)(f) GDPR
Retention period: Maximum 30 days
5. Cookies & Consent Management
Technically necessary cookies: Legal basis: § 25(2) TDDDG, Art. 6(1)(f) GDPR – no consent required
Analytics & statistics cookies: Legal basis: § 25(1) TDDDG, Art. 6(1)(a) GDPR – only with explicit consent
Consent may be withdrawn at any time via the cookie banner.
6. Customer Account & Orders
In connection with account creation and order processing, we process the following data:
Legal basis: Art. 6(1)(b) GDPR
Contract data: Statutory retention periods apply
Customer account: Until deletion by the user
7. SOS-ID Emergency Data & Special Categories of Data
Users may voluntarily store particularly sensitive data within the SOS-ID emergency passport. These may constitute special categories of personal data within the meaning of Art. 9 GDPR.
7.1 Types of Data Processed
Users may store the following information in particular:
7.2 Role of ID-No.com
ID-No.com serves exclusively as a technical platform for storing information entered by the user. SOS-ID GmbH operates the technical infrastructure but does not carry out any medical assessment, content review, or analysis of the data.
7.3 Legal Basis & Consent
Processing is carried out exclusively on the basis of explicit consent, which is obtained separately and in granular form – independently of accepting the Terms and Conditions (separate checkbox):
Consent may be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
7.4 Encryption & Access Protection
Emergency data is stored in encrypted form and protected by extensive technical and organisational measures (TOMs). Employees do not have unrestricted access to stored content. Access is only granted where technically absolutely necessary – without any content analysis.
7.5 Access in an Emergency
Access to emergency data is only possible via:
Without the appropriate authorisation, no access is possible. SOS-ID GmbH assumes no liability for the availability of the platform in an emergency. We recommend keeping analogue emergency information as a supplement.
7.6 Data Control & User Responsibility
Users retain full control over their data at all times. Independent modification, deletion, and withdrawal of consent are possible at any time. Once deleted, data can no longer be retrieved. Responsibility for the accuracy, currency, and completeness of the information lies with the user.
7.7 Event Notification upon QR Code Scan
When an SOS-ID QR code is accessed, an event (date and time) is recorded. The user automatically receives an email notification. The purpose is to inform about usage and to enhance the security of the user account. For misuse prevention purposes, the IP address of the accessing device is logged for a short period (max. 30 days) upon each scan.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: security & misuse prevention)
8. Payment Processing
Service provider: Stripe Technology Company Limited, Dublin, Ireland (EU)
Data access: We do not receive access to complete payment data
Third-country transfer: Stripe may process data via US group companies. Legal basis: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
Stripe privacy policy:https://stripe.com/privacy
9. Newsletter
If you subscribe to our newsletter, we process your email address and the time of registration. Registration is carried out using a double opt-in procedure: after entering your email address, you will receive a confirmation email. Your address will only be activated for newsletter delivery after clicking the confirmation link.
Legal basis: Art. 6(1)(a) GDPR
Service provider: Brevo
Retention period: Until unsubscription; deletion within 30 days of unsubscription
Unsubscription: At any time via the link in each newsletter email or by emailing datenschutz@id-no.com
10. Your Rights
You have the following rights against us at any time:
Where we process data on the basis of legitimate interests, you may object at any time.
Competent supervisory authority: The Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
11. Data Security & Data Breaches
We deploy extensive technical and organisational measures to protect personal data to the greatest possible extent:
In the event of a data breach, we will report the incident to the competent supervisory authority without undue delay, and at the latest within 72 hours (Art. 33 GDPR). Where there is a high risk to affected individuals, they will also be notified without undue delay (Art. 34 GDPR). Data breaches involving health data are generally considered to pose a high risk.
12. Contact and Support
If you contact us by email or via a contact form, we process your information exclusively for the purpose of handling your enquiry.
Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR
Retention period: Deletion after the enquiry is concluded, unless statutory retention obligations apply
13. No Automated Decision-Making or Profiling
No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.
14. Amendments to this Privacy Policy
We reserve the right to update this Privacy Policy in response to changes in our services or the legal framework. The current version is available at www.id-no.com/privacy. In the event of material changes, registered users will be informed by email.
Data Protection Contact: datenschutz@id-no.com · SOS-ID GmbH, Cassellastrasse 30–32, 60386 Frankfurt am Main, Germany