Privacy policy

Privacy policy – Caralto

Last updated: 12 June 2026
This privacy policy applies to the website www.caralto.de and the Caralto app.

1. Controller

Caralto

An der alten Gärtnerei 27, 15366 Hoppegarten

Germany

Represented by:

Alexandra Westphal

Email:

info@caralto.de

2. General information

Caralto processes personal data to provide a digital platform for family, care,

health and documents. This may also involve health data and other sensitive

data within the meaning of Art. 9 GDPR.

3. Data processed

Depending on use, the following data in particular may be processed:

- Contact and registration data

- Profile data of people being cared for

- Health, care and medication data

- Documents and uploads

- Emergency information

- Calendar, task and reminder data

- Payment data

- Device and usage information

4. Purpose of processing

Processing takes place in particular for:

- Providing the platform and app

- Managing care/family profiles

- Storing documents

- Organising care and health information

- Providing emergency profiles

- Communicating with users

- Processing payments

- Improving and securing the services

5. Legal bases

Processing takes place in particular on the basis of:

- Art. 6(1)(b) GDPR (performance of a contract)

- Art. 6(1)(f) GDPR (legitimate interest)

- Art. 6(1)(a) GDPR (consent)

- Art. 9(2)(a) GDPR (consent for health data)

6. Payment processing

Caralto uses Stripe for payments.

Provider:

Stripe, Inc.

https://stripe.com

Stripe processes payment data on its own responsibility in accordance with Stripe's privacy policy.

7. Hosting and database

Caralto uses Supabase as its technical platform and database solution.

Data processing takes place on servers within the European Union, where available and configured.

8. Analytics and tracking services

Caralto may use analytics, security and performance services where these are enabled.

These may include in particular:

- Supabase Analytics

- technical log files

- error analysis

- security monitoring

Optional tracking or marketing services are only used within the limits permitted by law.

9. Sharing of data

Personal data is only shared:

- where this is necessary to perform the contract,

- on the basis of legal obligations,

- with the consent of the data subject,

- or as part of access expressly granted within the platform.

10. Storage period

Personal data is stored only as long as necessary for the respective purposes

or as required by statutory retention obligations.

11. Rights of data subjects

Data subjects have in particular the following rights:

- Access

- Rectification

- Erasure

- Restriction of processing

- Data portability

- Withdrawal of consent given

- Complaint to a data protection authority

12. International data transfer

Caralto is operated from Germany; data processing takes place primarily on servers within the European Union. Where service providers outside the EU are used in individual cases, processing outside the EU may take place.

Appropriate safeguards in accordance with the GDPR are provided for this.

13. Security

Caralto uses technical and organisational security measures to protect personal data.

These include in particular role permissions, access restrictions and protected data areas.

14. Changes

Caralto may amend this privacy policy where this is necessary due to technical,

legal or functional changes.