Privacy Policy
Last updated: 25 February 2026
1. Who we are
Stordia (Sole Proprietorship)
Owner & Controller: Pantelis Anadolis
Kurstr. 10, 13585 Berlin, Germany
Email: support@stordia.com | Phone: +49 30 9228 5614
1a. Our Platform
Stordia operates a digital agency platform that enables businesses – particularly in the hospitality and food & beverage industry – to centrally manage their online presence. This includes:
- Social Media Management – planning and publishing content on TikTok, Facebook, Instagram, Threads and YouTube;
- Google Business Profiles – management and optimisation via the Google Business Profile API;
- Website Analytics – performance reports via the Google Analytics Data API;
- SEO Monitoring – indexing and search analysis via the Google Search Console API.
OAuth authorisation tokens from the respective platforms are processed to perform actions on behalf of the user and retrieve analytics data.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address | Registration form |
| Payment data | PayPal transaction ID | Checkout via PayPal |
| Usage / Analytics data | IP address, device, page views, heat maps, cookies | Stordia Analytics, server logs |
| User-generated content | Photos, files, links, websites | You (platform upload) |
| Google API data | Business profile data, website statistics, SEO data, email, name | Google APIs (OAuth authorisation) |
3. Purposes and legal bases (Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Account creation & service delivery | Contract performance (Art. 6(1)(b)) |
| Payment processing & bookkeeping | Contract / legal obligation |
| Behavioural analysis & product improvement | Legitimate interest |
| Managing Google Business Profiles | Contract performance (Art. 6(1)(b)) |
| Creating analytics & SEO reports | Contract performance (Art. 6(1)(b)) |
| Marketing emails | Consent |
| Personalised advertising | Consent |
4. Cookies & Tracking
We use our own cookies and the Stordia Analytics pixel to store your session, generate statistics and – with your consent – personalise content and advertising. A banner with granular settings appears on your first visit. “Do Not Track” signals are respected.
5. Sharing & Disclosure
- Service providers: Hetzner (on-premises EU hosting), PayPal (payments), Stordia Analytics (in-house).
- Google: use of Google API services in accordance with the User Data Policy.
- No transfers to third countries outside the EEA.
- No data sales under CCPA.
- Disclosure only where legally required or for security purposes.
5a. Use of Google API Services
Stordia uses various Google API services for hospitality and food & beverage clients.
What Google data we collect
| Google service | Data collected | Purpose |
|---|---|---|
| Google Business Profile API Scope: business.manage | Business profiles, location data, opening hours, reviews, photos, posts | Management and optimisation of Google Business Profiles |
| Google Analytics Data API Scope: analytics.readonly | Website statistics, visitor counts, page views, traffic sources, user behaviour (aggregated) | Creation of performance reports |
| Google Search Console API Scope: webmasters.readonly | Search queries, clicks, impressions, indexing status, crawl data | SEO monitoring and technical website analysis |
| Google account data Scopes: userinfo.email, userinfo.profile | Email address, name, profile picture | Authentication and OAuth assignment |
How we use Google data
Use is limited to:
- managing, updating and optimising our clients' Google Business Profiles;
- creating analytics reports for client websites and monitoring online performance;
- conducting SEO analyses and identifying technical indexing issues;
- verifying the identity of the authorised user.
Data is not used for advertising purposes, profiling, selling to third parties, or any other purposes beyond those described.
Storage and retention of Google data
- Google API data is processed on EU servers (Hetzner, Germany).
- OAuth access tokens are stored encrypted and deleted immediately upon revocation.
- Analytics and SEO data: retained for the duration of the contract, deleted 30 days after contract end.
- Deletion requests: privacy@stordia.com
Sharing of Google data
- Google API data is not sold, rented or shared with third parties.
- Access only by authorised Stordia staff.
- Disclosure only where legally required or with explicit user consent.
Security measures for Google data
- TLS encryption for all data transfers
- Encryption of data at rest on servers
- API keys with HTTP referrer restrictions
- OAuth tokens with minimum required permissions
- Regular review of access permissions
Google API Services – Limited Use Disclosure
Stordia's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
- Google API data used only to provide the described functions.
- Transfer to third parties only where required for functionality, with consent, for security or legal reasons.
- Read access only with consent, for security, legal reasons, or for aggregated/anonymised data.
- Any other transfer, use or sale is prohibited.
Revoking Google access
Access can be revoked:
- In your Google account under “Security → Third-party apps with account access”
- By contacting: privacy@stordia.com
After revocation, stored Google data will be deleted within 30 days.
6. Retention periods
Inactive accounts are deleted 14 days after the last activity. Transaction data is retained for 10 years in accordance with § 147 AO. Analytics logs are anonymised after 12 months. Google API data: see section 5a.
7. Security
TLS encryption, encryption of data at rest and strict access controls help protect your data. Google API data has additional security measures in place. No guarantee of absolute protection can be given.
8. Your rights
You have the right to access, rectification, erasure, restriction, objection, data portability and withdrawal of consent. Contact us at privacy@stordia.com. For revoking Google access, see section 5a.
9. Child protection
Our service is not directed at persons under 13 years of age. If we become aware of data from children collected without parental consent, it will be deleted immediately.
10. Changes to this policy
Material changes will be communicated by email or banner 14 days before taking effect.
11. Contact
Data Protection Officer: dpo@stordia.com