Privacy Policy
Last updated: 23 June 2026
Thank you for your interest in our website. Protecting personal data is important to us. This Privacy Policy explains which personal data we process when you use our website, for which purposes, on which legal basis and which rights you have as a data subject.
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
JBG Investitionen UG (haftungsbeschränkt)
Eitelstraße 71
10317 Berlin
Germany
Email: privacy@jbgai.com
Website: jbgai.com
Represented by: Johannes Burgard, Managing Director
2. Data Protection Officer
No data protection officer has currently been appointed. For any privacy-related questions, you may contact us using the contact details above.
3. General information on data processing
Personal data means any information relating to an identified or identifiable natural person. This includes, for example, names, email addresses, IP addresses, communication content or technical usage data.
We process personal data only to the extent necessary to provide the website, respond to inquiries, conduct events, communicate with prospects, customers and business partners, maintain business relationships or comply with legal obligations.
Processing is carried out in particular on the following legal bases:
- Art. 6(1)(a) GDPR, where consent has been given;
- Art. 6(1)(b) GDPR, where processing is necessary for pre-contractual measures or the performance of a contract;
- Art. 6(1)(c) GDPR, where processing is necessary to comply with a legal obligation;
- Art. 6(1)(f) GDPR, where we or a third party have a legitimate interest and the interests or fundamental rights and freedoms of the data subject do not override that interest.
4. Provision of the website and server log files
When you visit our website, technical data is automatically processed to provide, stabilize and secure the website. This may include in particular:
- IP address;
- date and time of access;
- page or file accessed;
- referrer URL;
- browser type and version;
- operating system;
- device used;
- amount of data transferred;
- HTTP status code.
This processing is carried out to technically provide the website, detect attacks and malfunctions, ensure system security and technically optimize the website.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and error-free provision of our website.
Server log files are generally stored only for as long as necessary for the purposes stated above. Longer storage may take place if required to investigate security incidents or to establish, exercise or defend legal claims.
5. Hosting, content management, forms, CRM and Buyer Intent via HubSpot
Our website is operated using HubSpot. HubSpot provides website hosting, content management, contact forms, analytics functions, customer relationship management and functions for analyzing website visits at company level.
The provider is in particular:
HubSpot Germany GmbH
Am Postbahnhof 17
10243 Berlin
Germany
and, where applicable, other HubSpot entities, in particular HubSpot, Inc. in the United States.
When HubSpot is used, the following data may in particular be processed:
- technical usage data when visiting the website;
- IP address and device information;
- online identifiers;
- pages accessed and interactions with the website;
- timestamps and URL paths of website visits;
- form submissions;
- name, email address, company, role/function and message, where voluntarily provided;
- communication and CRM data when you contact us;
- information about previous communication or interactions with our content, where technically possible and legally permissible;
- information about which companies visit our website, where attribution at company level is possible.
HubSpot processes personal data partly as a processor on our behalf. Where HubSpot pursues its own purposes or provides certain functions independently, HubSpot may also act as an independent controller or as a joint controller with us. The specific allocation of roles depends on the HubSpot functions used and the contractual arrangements with HubSpot.
The legal bases are, depending on the processing activity:
- Art. 6(1)(b) GDPR, where processing is necessary to respond to an inquiry or take pre-contractual steps;
- Art. 6(1)(f) GDPR, where processing serves technical provision, security, error analysis, maintenance of business relationships, internal organization or B2B market analysis;
- Art. 6(1)(a) GDPR, where you have consented to non-essential cookies, tracking, analytics functions or marketing communication.
Where personal data is transferred to countries outside the European Union or the European Economic Area, this will take place only on the basis of an adequacy decision by the European Commission or appropriate safeguards under Art. 46 GDPR, in particular standard contractual clauses.
We currently do not use automatic enrichment of contact or company records through HubSpot Data Enrichment. If such a function is used in the future, this Privacy Policy will be updated accordingly.
6. Cookies and similar technologies
Our website uses cookies and similar technologies, such as local storage, session storage or tracking pixels. We distinguish between technically necessary and non-essential technologies.
We use a HubSpot cookie consent banner. Through this banner, visitors can grant or refuse consent to non-essential cookies and similar technologies. Cookie settings can be changed or withdrawn at any time through the Cookie Settings page on this website.
6.1 Technically necessary technologies
Technically necessary technologies are required to provide the website, enable security functions, store language settings, provide forms or manage consent.
The storage of or access to information on your device is based on Section 25(2) of the German Telecommunications Digital Services Data Protection Act (TDDDG). The subsequent processing of personal data is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and functional provision of our website.
6.2 Non-essential technologies, analytics and tracking
We use non-essential technologies, in particular analytics and tracking technologies, only if you have given your prior consent. This includes in particular HubSpot analytics and Buyer Intent functions, which allow us to understand how visitors use our website, which pages are accessed, how users interact with content or forms and which companies visit our website.
The storage of or access to information on your device is based on Section 25(1) TDDDG. The subsequent processing of personal data is based on your consent pursuant to Art. 6(1)(a) GDPR.
You may withdraw or change your consent at any time with effect for the future. To do so, you can reopen the Cookie Settings page on this website.
7. HubSpot Analytics, website tracking and Buyer Intent
We use HubSpot analytics and tracking functions to better understand the use of our website, improve our offering and, in a B2B context, identify which companies show interest in our content.
In this context, the following data may in particular be processed:
- page views;
- clicks and interactions;
- time spent on pages;
- referrer;
- device and browser information;
- IP address;
- online identifiers;
- timestamp of the website visit;
- URL paths of the pages visited;
- form submissions and later website interactions, where assignment to a contact is technically possible and legally permissible;
- company information, where HubSpot can attribute website visits at company level.
HubSpot’s Buyer Intent function may attribute website visits to companies using technical information, in particular IP addresses, online identifiers and visited URL paths. We use this information to better understand which companies are interested in our content and services. The analysis is carried out in a B2B context and serves internal market analysis, prioritization of business communication and improvement of our content.
Where HubSpot Analytics, website tracking or Buyer Intent use non-essential cookies or similar technologies, they are used only on the basis of your consent pursuant to Section 25(1) TDDDG and Art. 6(1)(a) GDPR.
Where, after consent has been given, further analysis at company level is carried out, we additionally base this processing on Art. 6(1)(f) GDPR. Our legitimate interest lies in analyzing and optimizing our B2B offering, conducting targeted business communication and better aligning our content with relevant company target groups.
8. Contact form and communication
If you contact us via a contact form, by email or by other means, we process the data you provide. This may include in particular:
- name;
- email address;
- company;
- role or function;
- telephone number, if provided;
- subject;
- message;
- time of inquiry;
- technical metadata of the form submission.
We process this data to handle your inquiry, communicate with you, prepare or conduct a business relationship and document the communication.
The legal basis is Art. 6(1)(b) GDPR if your inquiry relates to the conclusion or performance of a contract. In other cases, the legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in efficiently handling inquiries and maintaining business contacts.
The submitted data may be stored in HubSpot and made internally accessible to the responsible persons.
We generally store contact inquiries for as long as necessary to handle the inquiry and for reasonable business follow-up. Where statutory retention obligations apply or the data is required to establish, exercise or defend legal claims, longer storage may take place.
9. AI-powered chat advisor “Mr. Saltcake”
Through our website, we provide access to an AI-powered chat advisor under the name “Mr. Saltcake”. Mr. Saltcake helps users answer structured questions, organize their thoughts and receive a summary, assessment or inspiration based on their input. Mr. Saltcake does not make decisions about users and does not replace individual legal, tax, technical or other professional advice.
When using Mr. Saltcake, the following personal data may in particular be processed:
- registration and login data;
- name, email address and, where applicable, company information;
- content of the chat communication;
- technical session data;
- generated summaries and assessments;
- information on whether contact by JBG Advisory was requested;
- transactional email communication, in particular summaries, confirmations or deletion confirmations.
The processing is carried out to provide the chat advisor, store user sessions, process the information entered, generate AI-supported responses and summaries, provide results by email, implement deletion requests and, where expressly requested by the user, enable contact by JBG Advisory.
The legal basis is Art. 6(1)(b) GDPR where the processing is necessary to provide the chat advisor requested by you, manage your session and generate or transmit the requested summary. This applies in particular where the use of Mr. Saltcake serves to initiate a possible business relationship or prepare advisory services.
Where individual processing activities are based on your consent, in particular optional contact requests, lead forwarding or later marketing communication, the legal basis is Art. 6(1)(a) GDPR. You may withdraw consent at any time with effect for the future.
Where processing serves security, error analysis, abuse prevention, documentation, internal organization or improvement of the service, we base this processing on Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, reliable and traceable provision of the service.
To provide Mr. Saltcake, we use in particular the following technical service providers:
- Vercel Inc. for hosting and technical provision of the application;
- Supabase for database functions, authentication and storage of session data; according to our configuration, the Supabase project is operated in the European Union;
- Anthropic PBC for AI processing of chat content to generate responses, interview flow and summaries;
- Resend / Plus Five Five, Inc. for sending transactional emails, in particular summaries and deletion confirmations.
Where these service providers process personal data on our behalf, this is done on the basis of corresponding data processing agreements pursuant to Art. 28 GDPR. Where personal data is transferred to countries outside the European Union or the European Economic Area, in particular to the United States, this is done only on the basis of an adequacy decision by the European Commission or appropriate safeguards pursuant to Art. 46 GDPR, in particular standard contractual clauses.
When using Anthropic’s commercial interface, inputs and outputs are, according to Anthropic, not used by default to train Anthropic’s models.
Session data in Mr. Saltcake is stored for a maximum of 180 days and then automatically deleted. Users may also delete their sessions at any time within the application. Deleting a session removes the stored conversation and the corresponding summary from the application.
Please note: If, while using Mr. Saltcake, you expressly requested contact by JBG Advisory, a notification may already have been sent to JBG Advisory for this purpose. Deleting the session within the application does not automatically delete such an already sent notification. If you also wish to have such a notification or related contact data deleted, please contact us at privacy@jbgai.com.
We do not use Mr. Saltcake for automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. The generated content serves only as food for thought, a structuring aid and inspiration.
10. Event registrations via Microsoft Forms
For individual events, we may use Microsoft Forms for registration or for collecting participant information. If you complete such a form, you may leave our website and use a form provided by Microsoft.
The provider is in particular:
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
Ireland
and, where applicable, Microsoft Corporation, United States.
For event registrations, the following data may in particular be processed:
- name;
- email address;
- company;
- function or role;
- participation details;
- voluntary information in free-text fields;
- technical metadata relating to the use of the form.
We process this data to plan, conduct and follow up on the relevant event, communicate with participants and, where applicable, document participation.
The legal basis is Art. 6(1)(b) GDPR where processing is necessary to conduct the event or process your registration. Where we contact you in connection with the event or conduct organizational follow-up, processing may additionally be based on Art. 6(1)(f) GDPR. Our legitimate interest lies in organizing and following up on the event. Where you give consent for further communication, such as marketing information, the legal basis is Art. 6(1)(a) GDPR.
Microsoft processes personal data depending on the product and contractual setup as a processor or as an independent controller. Where data is transferred to countries outside the European Union or the European Economic Area, this will take place only on the basis of an adequacy decision or appropriate safeguards under Art. 46 GDPR, in particular standard contractual clauses.
We generally store event data for as long as necessary to organize, conduct and follow up on the event. As a rule, event data will be deleted or anonymized no later than 12 months after the respective event, unless statutory retention obligations apply, consent for further communication exists or legitimate interests justify further storage.
11. Newsletter, invitations and marketing communication
If we offer newsletters, event invitations or similar marketing communication and you subscribe or give consent, we process your contact details to send you the requested information.
This may include in particular:
- name;
- email address;
- company;
- role or function;
- time of consent;
- content of the consent;
- proof of the subscription or confirmation process;
- unsubscribe or withdrawal information.
Processing is based on your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future. You can do so by using the unsubscribe link in the relevant message or by contacting us using the contact details above.
We may store proof of your consent in order to demonstrate the lawfulness of the subscription and communication. The legal basis for this is Art. 6(1)(f) GDPR. Our legitimate interest lies in documenting and defending lawful communication.
If we analyze newsletter opening or click rates on a personal basis, this will only take place where valid consent has been given or where the analysis is legally permissible.
12. CRM, business contacts, Buyer Intent and lead management
If you enter into business contact with us, we may store and process your contact details in our CRM system. This applies in particular to prospects, customers, cooperation partners, service providers and other business contacts.
The following data may be processed in particular:
- name;
- business contact details;
- company;
- position or role;
- communication history;
- interest in our services;
- information from meetings, emails or forms;
- publicly available business information, where relevant and permissible;
- information about whether and how a company has interacted with our website or content, where technically possible and legally permissible.
Processing is carried out to maintain business relationships, handle inquiries, prepare offers, initiate projects, conduct projects and organize our internal business operations.
The legal bases are Art. 6(1)(b) GDPR, where processing is necessary for pre-contractual measures or the performance of a contract, and Art. 6(1)(f) GDPR. Our legitimate interest lies in the structured management of business contacts, the conduct of our business activities and targeted B2B communication.
Where HubSpot functions for company-level visitor recognition or Buyer Intent analysis are used, this is done only within the limits of applicable law and, where required, after prior consent to the cookies or similar technologies used for this purpose.
We currently do not use automatic enrichment of contact or company records through HubSpot Data Enrichment.
13. External links
Our website may contain links to external websites, partners or third-party providers. If you click an external link, you leave our website. The respective provider is responsible for the processing of personal data on external websites. Please refer to the privacy notices of the respective external providers.
14. Recipients and categories of recipients
Personal data is disclosed to third parties only where necessary for the purposes stated above, where a legal obligation exists, where consent has been given or where a legitimate interest exists.
Recipients or categories of recipients may include in particular:
- hosting, CMS, form, analytics and CRM providers, in particular HubSpot;
- providers of event registration tools, in particular Microsoft Forms;
- email and communication service providers;
- IT service providers and technical service providers;
- tax advisors, legal advisors or other professional advisors, where necessary;
- service providers for the AI-powered chat advisor “Mr. Saltcake”, in particular Vercel, Supabase, Anthropic and Resend;
- authorities, courts or other public bodies, where legally required;
- authorized internal persons within our company.
Where required, we enter into data processing agreements with processors pursuant to Art. 28 GDPR.
15. Transfers to third countries
When using certain service providers, processing of personal data outside the European Union or the European Economic Area cannot be ruled out, in particular in the United States.
Where personal data is transferred to third countries, this will take place only if the data protection requirements are met. This may be based in particular on an adequacy decision by the European Commission, standard contractual clauses pursuant to Art. 46 GDPR or other appropriate safeguards.
Upon request, we will provide further information on the safeguards used, to the extent legally possible.
16. Retention periods
We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.
As a general rule, the following criteria apply:
- technical log data: only for as long as required for technical provision, security and error analysis;
- cookie and consent information: for as long as required to manage and demonstrate consent;
- contact inquiries: until final handling of the inquiry and reasonable business follow-up;
- CRM and business contact data: as long as a business relationship, legitimate interest or relevant communication exists;
- event registrations: until the event has been conducted and followed up, generally no longer than 12 months after the event;
- session data in the AI-powered chat advisor “Mr. Saltcake”: a maximum of 180 days, unless deleted earlier by the user;
- newsletter and marketing consents: until consent is withdrawn;
- proof of consent: for as long as required to demonstrate consent;
- contract- and tax-relevant documents: in accordance with statutory retention obligations.
If data is no longer required for the stated purposes and no statutory retention obligations or legitimate reasons for further storage exist, it will be deleted or anonymized.
17. Your rights
Subject to the statutory requirements, data subjects have the following rights:
- right of access to the personal data processed pursuant to Art. 15 GDPR;
- right to rectification of inaccurate data pursuant to Art. 16 GDPR;
- right to erasure pursuant to Art. 17 GDPR;
- right to restriction of processing pursuant to Art. 18 GDPR;
- right to data portability pursuant to Art. 20 GDPR;
- right to object to processing based on Art. 6(1)(e) or Art. 6(1)(f) GDPR pursuant to Art. 21 GDPR;
- right to withdraw consent with effect for the future pursuant to Art. 7(3) GDPR;
- right not to be subject to a decision based solely on automated processing, including profiling, where the statutory requirements are met.
To exercise your rights, you can contact us using the contact details above.
18. Right to object pursuant to Art. 21 GDPR
If we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.
If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data for such marketing. This also applies to profiling to the extent that it is related to such direct marketing.
19. Withdrawal of consent
Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.
20. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.
The supervisory authority likely responsible for our company is:
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59–61
10555 Berlin
Germany
Email: mailbox@datenschutz-berlin.de
You may also contact any other competent data protection supervisory authority.
21. Obligation to provide personal data
The provision of personal data is generally neither legally nor contractually required. However, certain functions, such as handling a contact inquiry or event registration, require certain information. Without this information, we may not be able to process the respective inquiry or registration.
22. Automated decision-making and profiling
Where our AI-powered chat advisor “Mr. Saltcake” generates AI-supported responses or summaries, this serves to support and structure information. No automated decision with legal or similarly significant effect is made as a result. We do not use automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.
Where HubSpot collects technical information about website interactions, structures contacts in a CRM system or attributes website visits to companies, this serves internal organization, communication, analysis and optimization. No automated decision with legal or similarly significant effect is made as a result.
We currently do not use automatic data enrichment through HubSpot Data Enrichment.
23. Data security
We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration or disclosure. This includes in particular access restrictions, technical safeguards, encrypted transmission and organizational security processes.
24. Changes to this Privacy Policy
We may amend this Privacy Policy if our website, the services used, our processing activities or legal requirements change. The current version is available on our website.
