Privacy Policy

2.1 Scope of Personal Data Processing

We generally process personal data only to the extent necessary to:

• provide a functional website,
• respond to enquiries,
• offer services and initiate or fulfil contracts,
• ensure security, stability and protection against misuse,
• and – with consent – provide analytics and marketing features (e.g. advertising).

2.2 Legal Bases

Depending on the processing activity, we rely on:

• Art. 6(1)(a) GDPR (consent)
• Art. 6(1)(b) GDPR (contract / pre-contractual measures)
• Art. 6(1)(c) GDPR (legal obligation)
• Art. 6(1)(f) GDPR (legitimate interest, e.g. IT security, website operation)

Where cookies or similar technologies are stored on or read from your device, the TDDDG (German Telecommunications Digital Services Data Protection Act) also applies:

• § 25(2) TDDDG (technically necessary cookies)
• § 25(1) TDDDG (optional cookies/tracking only with consent)

2.3 Data Deletion and Retention

We delete or block personal data as soon as the purpose for storage ceases to apply, unless statutory retention obligations (e.g. commercial or tax law) require otherwise. Consent may be revoked at any time with effect for the future.

3.1 Hosting / Operations

Our website is hosted by Hetzner (Germany). It is operated via a web server configuration using nginx (reverse proxy and TLS/HTTPS).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable website operation).

Data processing agreement: Where required, a data processing agreement pursuant to Art. 28 GDPR is in place with the hosting provider.

3.2 Website Delivery and Log Files

Each time you access our website, our system automatically processes data and information transmitted by your browser. This includes in particular:

• IP address
• Date and time of access
• Pages/files accessed
• Referrer URL
• Browser type/version
• Operating system
• HTTP status code
• Amount of data transferred

Purpose: Website delivery, ensuring functionality, error analysis, attack prevention, IT security.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Log files are stored for 14 days and then deleted or anonymised, unless a security-relevant event necessitates longer retention for investigation purposes.

4.1 Cookies

Cookies are small text files that your browser stores on your device. We use:

• technically necessary cookies to provide basic functionality (e.g. language settings, security features),
• optional cookies/tracking technologies (e.g. advertising/analytics) that are only used with your consent.

4.2 Consent Management (Cookie Banner)

We use a consent management tool to obtain, manage and document consent for optional cookies/tracking (e.g. marketing/ads/analytics).

Consent tool: Custom cookie consent banner (client-side, no external service).

Processed data: Consent status per category (necessary, functional, analytics, marketing), timestamp of consent. The data is stored as a cookie in your browser (retention: 6 months).

Legal basis:

• Consent for optional cookies/tracking: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG
• Documentation/proof: Art. 6(1)(c) GDPR or Art. 6(1)(f) GDPR

Note: Optional services (e.g. Google Analytics, advertising) are only activated after consent.

4.3 Revocation / Cookie Settings

You may revoke or change your consent at any time via the cookie banner. You can also delete or block cookies through your browser settings. Disabling cookies may limit certain functionality.

5.1 Description, Purpose and Scope

When you contact us via the contact form or e-mail, we process the data you provide, e.g.:

• Name
• E-mail address
• Phone number (if provided)
• Company (if provided)
• Content of your message / enquiry

Additionally, technical data (e.g. timestamp, IP address) may be processed for abuse prevention and system security, particularly when forms are used.

5.2 Legal Basis

• Art. 6(1)(b) GDPR (pre-contractual measures / contract), if your enquiry is directed towards this
• Art. 6(1)(f) GDPR (legitimate interest in communication, abuse prevention, IT security)
• where applicable Art. 6(1)(a) GDPR, if consent is requested in the form

5.3 Retention Period

We delete enquiries after processing is complete, unless statutory retention obligations apply.

6.1 Description and Purpose

We offer an AI-based chatbot on our website that answers questions about our services and offerings. The chatbot uses the OpenAI API to generate responses. Use of the chatbot is voluntary and requires your prior consent.

6.2 Processed Data

The following data is processed when using the chatbot:

• Your entered messages (chat history of the current session)
• IP address (for rate limiting and abuse protection)
• Technical metadata of the request (e.g. timestamp)

Chat messages are transmitted to OpenAI servers to generate a response. No personal data is permanently stored. The chat history exists only during the active session.

6.3 Provider

OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA.

OpenAI privacy policy: https://openai.com/policies/privacy-policy

6.4 Legal Basis

Art. 6(1)(a) GDPR (consent). You consent to data processing before using the chatbot. You may revoke your consent at any time by closing the chat and discontinuing use.

6.5 Third-Country Transfer

When using the chatbot, data is transferred to OpenAI in the USA. The transfer is based on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR.

6.6 Notice

Please do not enter any sensitive personal data in the chat (e.g. health data, financial data, passwords). The chatbot's responses do not constitute legal, tax or financial advice.

7.1 Description and Purpose

We use Google Analytics 4 (GA4) to analyse the use of our website, provided you have consented via our cookie banner. GA4 uses cookies and similar technologies to collect information about your usage behaviour (e.g. pages visited, time on site, device type, approximate location).

7.2 Provider

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

7.3 Google Consent Mode v2

We use Google Consent Mode v2. This means Google Analytics only fully collects data after your consent. Without consent, no analytics cookies are set and no personal data is transmitted to Google.

7.4 Legal Basis

Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (consent).

7.5 Third-Country Transfer

Data may be transferred to Google servers in the USA. The transfer is based on the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC).

7.6 Revocation

You may revoke your consent at any time via the cookie banner. Data already collected remains unaffected.

8.1 Google Ads / Conversion Tracking

If we use Google Ads and conversion tracking, cookies may be set to measure the success of advertising campaigns.

Provider: Google Ireland Limited, Dublin, Ireland.

Legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG).

Third-country transfer: possible (USA), based on the EU-US DPF and/or SCC.

8.2 Google AdSense

If we use Google AdSense to display advertisements, cookies/identifiers may be used to serve, personalise and measure the effectiveness of ads.

Provider: Google Ireland Limited, Dublin, Ireland.

Legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG).

Third-country transfer: possible (USA), based on the EU-US DPF and/or SCC.

9.1 Links

When you click our social media links, you will be redirected to the respective platform. Data processing by us only takes place when you interact with the respective profile. The privacy policies of the respective provider apply.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public relations and communication).

9.2 Embeds

When we embed content from LinkedIn, X or Instagram on our website (e.g. post/feed widgets), data may be transmitted to the respective provider when the page loads (e.g. IP address, device/browser data, referrer). Where possible, we load such embeds only after your consent via our consent tool.

Legal basis: Art. 6(1)(a) GDPR (consent).

9.3 Third-Country Transfer

When using X and Instagram/Meta, data may be transferred to the USA. The transfer is based on the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC).