ProvenExpert and Data Protection – What Belongs in the Privacy Policy

When a website operator embeds the ProvenExpert rating seal, web server log data, device data, browser information and coarse location data of website visitors are processed for the purpose of displaying the seal and presenting reviews externally – regularly on the basis of a third-party content consent or a legitimate interest (Art. 6 (1) (f) GDPR). This page explains in compact form which data ProvenExpert processes when the seal is embedded, how the processing roles are to be classified, and what website operators should include about ProvenExpert in their privacy policy. The presentation is based on the publicly available information from the provider and does not replace a case-by-case legal assessment.

A. ProvenExpert – Purpose and Functionality

ProvenExpert is a review platform operated in Germany by Expert Systems AG, headquartered in Berlin. Website operators – often service providers, trades, agencies and B2B companies – collect customer reviews there and can present the aggregated rating externally as a so-called rating seal or "Premium Seal".

Beyond the platform account itself, ProvenExpert offers several functional areas: collecting and publishing reviews, sending review invitations to the website operator's customers, aggregating reviews from other portals, and various marketing and analysis functions inside the ProvenExpert account. This tool page focuses on the integration function most relevant to data protection: embedding the rating seal on the website operator's site via JavaScript snippet or iframe from www.provenexpert.com. Other functions (review invitation campaigns, the ProvenExpert directory profile, backend tools) are out of scope here and may need to be addressed separately in the privacy policy.

When a page with an embedded ProvenExpert seal is loaded, the visitor's browser establishes a direct connection to ProvenExpert servers and loads the seal script, images and any further content from there. Only this makes the seal visible and interactive. This direct server contact is the decisive point under data protection law: with the request, connection data – in particular the visitor's IP address – is necessarily transmitted to ProvenExpert.

B. Mandatory Information in the Privacy Policy When Using ProvenExpert

The GDPR requires website operators to provide a privacy policy that, in addition to general information (controller, data subject rights, supervisory authority), contains certain tool-specific mandatory disclosures. Concerning the use of ProvenExpert, these include in particular the purposes of processing (Art. 13 (1) (c) GDPR), the legal bases (Art. 13 (1) (c) GDPR), where processing is based on a balancing of interests, the specifically pursued legitimate interests (Art. 13 (1) (d) GDPR), the recipients or categories of recipients (Art. 13 (1) (e) GDPR), information on any third-country transfers (Art. 13 (1) (f) GDPR) as well as the storage period or criteria for it (Art. 13 (2) (a) GDPR). Where data – as is partly the case with the rating seal – are not collected directly from the data subject but captured automatically with the browser request, the requirements of Art. 14 GDPR may additionally apply.

These mandatory disclosures are detailed below for ProvenExpert – so that website operators can recognise which building blocks belong in a privacy policy when the rating seal is embedded on their own site.

In practice, however, it has become common to include a separate text module for each individual tool in the privacy policy – also for ProvenExpert. This "text-module-per-tool" habit results in long, legalese-style passages that repeat content, are hard to maintain and barely readable for users. A more appropriate approach is a topic-oriented structure that describes similar processing operations (server operation, third-party content, newsletter, tracking, sales …) in an overarching way and names specific service providers – including ProvenExpert – only in an appendix of recipients. This is exactly the methodology used by the matterius generator.

C. Provider of ProvenExpert

The contracting party for German website operators is, according to publicly available information:

• Expert Systems AG
• Quedlinburger Straße 1, 10589 Berlin, Germany
• Country of seat: Germany (EU)
• Commercial register: Amtsgericht Berlin-Charlottenburg, HRB 188499 B
• Data protection contact: privacy@provenexpert.com
• Privacy policy: provenexpert.com/de-de/datenschutzbestimmungen
• Imprint: provenexpert.com/de-de/impressum

Since Expert Systems AG is headquartered in Germany and therefore within the EU, a direct data transfer to an unsafe third country within the meaning of Art. 44 et seq. GDPR with ProvenExpert as the primary recipient does not arise as such. According to the provider's privacy notices, however, Expert Systems AG uses sub-processors (including Google Cloud Platform as hosting provider), where website operators should examine on a case-by-case basis whether and to what extent data are transferred to third countries and which safeguards (in particular EU Standard Contractual Clauses, EU-US Data Privacy Framework) apply.

D. Data Processing at ProvenExpert – Step by Step

E. Data Collected by the ProvenExpert Rating Seal

When the ProvenExpert seal is embedded on a website, according to the publicly available information from the provider, the following data are processed in particular: the visitor's IP address, date and time of the request, the URL of the embedding page (referrer), information on the browser and operating system used, as well as technical metadata of the request. Depending on the specific seal variant, cookies or comparable technologies may additionally be used.

The data fall into the following standardised categories:

• Web server log data: Data that the ProvenExpert server receives with each request from the user's device, in particular the IP address of the internet connection, date, time and time zone of the request, URL of the requested content (script, image, file of the seal), the address of the embedding page (referrer), information about the browser, operating system and device used, as well as supplementary technical metadata such as response status code and amount of data transferred.
• Device data: Information about the user's device, e.g. device type, operating system, screen resolution and size, device orientation.
• Browser information: Information about the browser used, e.g. browser name, browser version and possibly installed extensions.
• Coarse location data: The user's coarse location at city or municipal level determined from the IP address.

If individual seal variants set cookies, additional data categories (e.g. click paths on the operator's own site, interaction data with the seal) come into play. Website operators should review the specific seal snippet they use.

F. Purposes of the Website Operator When Using ProvenExpert

The website operator embeds the ProvenExpert rating seal in order to visibly display its own review level, build trust with website visitors and increase conversion rates (e.g. enquiries, orders). The data processing connected to displaying the seal also serves the technically proper delivery of the seal as well as security and abuse prevention on ProvenExpert's side.

The purposes can be classified into the following standardised purpose categories:

• Service provision: Providing the functionality of the rating seal on the website, including the display of rating information, interactive elements and any link to the ProvenExpert profile; as well as error detection, error correction and error prevention.
• Security and abuse prevention: Detecting, preventing and ending attacks on the ProvenExpert infrastructure, e.g. DDoS attacks, spam and bot defence.
• General marketing: External presentation of the website operator's review and reputation metrics to website visitors – an advertising and trust function vis-à-vis the general audience, without personalisation.
• General product improvement: Adjustment of the online services on the basis of aggregated load and usage figures of the seal, e.g. to assess the conversion impact of the seal.

Where ProvenExpert is also used to send review invitations to existing customers, the additional purposes communication and possibly general marketing apply; this functional area must be addressed separately in the privacy policy.

G. Legal Bases for ProvenExpert in the Privacy Policy

The ProvenExpert rating seal falls into the third-party content category (reviews) – a tool category in which embedding the seal creates a direct connection from the browser to a third-party server, comparable to embedded maps, videos or fonts.

For this category, the following legal bases regularly come into consideration:

• Third-party content consent (Art. 6 (1) (a) GDPR in conjunction with Sec. 25 (1) TDDDG, where cookies or comparable terminal-equipment access take place) – often obtained via the consent management tool; the seal is loaded only after consent.
• Legitimate interest (Art. 6 (1) (f) GDPR), where no cookies or terminal-equipment access subject to Sec. 25 TDDDG are involved, with interests in advertising, efficiency and business steering (external presentation of review reputation, lean integration).

For the sending of review invitations through ProvenExpert to the website operator's own customers, depending on the constellation, legitimate interests in advertising and improvement and the competition-law privilege in Sec. 7 (3) UWG (direct advertising to existing customers for the operator's own similar goods or services) are additionally relied upon; in deviating constellations, consent (Art. 6 (1) (a) GDPR in conjunction with Sec. 7 (2) No. 2 UWG) is required.

The applicable legal basis depends on which specific seal variant is embedded, whether cookies are set, and how ProvenExpert is used for review invitations. It must be assessed by the website operator on a case-by-case basis.

H. Particularities and Notes on ProvenExpert

• Advantage of EU seat: The contracting party Expert Systems AG is a German stock corporation seated in Berlin. A third-country transfer directly to the contracting party therefore regularly does not occur. Sub-processors (e.g. Google Cloud) may nonetheless lead to third-country relevance – safeguards (SCC, possibly EU-US Data Privacy Framework) must be reviewed case by case.
• Controllership role: With regard to its own platform and the processing operations initiated by the provider itself, Expert Systems AG acts, according to publicly available information, as an independent controller. For processing operations initiated and steered by the website operator (in particular the sending of review invitations to the operator's own customers), processing on behalf under Art. 28 GDPR comes into consideration; the conclusion of a DPA and its scope must be verified with the provider and documented.
• Sub-processors: According to the privacy notices, Expert Systems AG uses, among others, Google Cloud Platform for hosting, Stripe and PayPal for payments and HubSpot and CleverReach for marketing/email functions. For the delivery of the rating seal itself, the hosting sub-processor is particularly relevant.
• Cookies and consent banner: If the ProvenExpert seal sets cookies or makes comparable terminal-equipment accesses, consent under Sec. 25 (1) TDDDG is required; in this case the seal should be loaded only after consent via the consent management tool.
• External presentation of reviews: Independently of data protection, requirements under unfair competition law for the presentation of customer reviews (transparency under Sec. 5, 5b UWG) must be observed.
• Uncertainties as to specific data scope: The publicly available ProvenExpert privacy notices are not exhaustively granular regarding the precise data flows of the embedded seal. In case of doubt, the exact data categories and retention periods should be queried directly with the provider and additionally addressed in the privacy policy.

I. ProvenExpert FAQ

J. Conclusion on ProvenExpert and Call-to-Action

ProvenExpert, headquartered in Berlin, is – from a data protection perspective – a comparatively manageable tool: the contracting party is a German stock corporation, no direct transfer to unsafe third countries occurs at the contracting party itself, and the "rating seal" function clearly falls into the category of third-party content. The data-protection-relevant aspect is mainly that loading the seal creates a direct connection from the browser to ProvenExpert servers, and that this entails web server log data, device data, browser information and coarse location data.

For website operators it is usually of little use to include a separate text module just for ProvenExpert in their privacy policy. This makes the privacy policy long, unclear and hard to maintain – and runs counter to the transparency requirement of Art. 12 (1) GDPR. A more appropriate approach is a structured, topic-oriented format that explains similar processing operations (e.g. "third-party content / reviews", "server operation", "newsletter", "tracking") in an overarching way and names ProvenExpert only in the appendix of recipients as a specific service provider. This is precisely the methodology of the matterius generator.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com