Privacy Policy
As of: 14 May 2026 · Pursuant to Art. 13, 14 and 21 GDPR and § 25 TDDDG
Note on this translation: This English version is a translation of our German privacy policy for informational purposes. The cogswell.de/datenschutz" target="_blank" rel="noopener">German version is legally binding under EU and German data protection law.
Preamble
The protection of your personal data is of central concern to us. With this privacy policy we inform you in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications and Telemedia Data Protection Act (TDDDG) comprehensively, transparently and in understandable form about which personal data we collect when you visit the website www.cogswell.de and use the functions offered there (contact forms, order forms, AI chatbot, payment processing, web analytics, online advertising, accessibility widget), for what purposes we process it and what rights you have in this regard.
Personal data within the meaning of this declaration is all data relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR) – e.g. name, address, email address, IP address, device identifiers or your usage behavior on our website.
1. Controller and Contact
Controller within the meaning of the GDPR and other data protection regulations is:
Cogswell IT Owner: Joshua Cogswell Georg-Moller-Weg 29 64625 Bensheim Germany
Phone: +49 6251 9743999 Email: office(at)cogswell.de Web: www.cogswell.de
Data Protection Officer: Due to the size and activity profile of our company, there is no legal obligation under § 38 BDSG to appoint an internal data protection officer. Please send data protection inquiries directly to the above contact address.
2. Definitions
We follow the definitions of Art. 4 GDPR. The most important ones briefly explained:
- Personal data (Art. 4 No. 1 GDPR): All information relating to an identified or identifiable natural person.
- Processing (Art. 4 No. 2 GDPR): Any operation performed on personal data with or without automated means.
- Restriction of processing (Art. 4 No. 3 GDPR): Marking stored data with the aim of limiting its future processing.
- Profiling (Art. 4 No. 4 GDPR): Automated processing of personal data to evaluate personal aspects.
- Pseudonymization (Art. 4 No. 5 GDPR): Processing in such a way that the data can no longer be attributed to a specific person without additional information.
- Controller (Art. 4 No. 7 GDPR): The entity that decides on purposes and means of processing.
- Processor (Art. 4 No. 8 GDPR): A natural or legal person who processes personal data on behalf of the controller.
- Recipient (Art. 4 No. 9 GDPR): Any natural or legal person to whom data is disclosed.
- Consent (Art. 4 No. 11 GDPR): Any freely given, specific, informed and unambiguous declaration of intent.
- Third country: A state outside the EU or the European Economic Area (EEA).
3. General Information on Data Processing
3.1 Scope and Purpose
We collect and use personal data of our users only insofar as this is necessary to provide a functional website as well as our content and services or you have consented to the processing. We follow the principles of data minimization and purpose limitation (Art. 5 GDPR).
3.2 Legal Bases (Art. 6 (1) GDPR)
The following legal bases may be applicable:
- lit. a – your consent,
- lit. b – performance of a contract or pre-contractual measures,
- lit. c – compliance with a legal obligation,
- lit. d – protection of vital interests,
- lit. e – performance of a task in the public interest,
- lit. f – legitimate interests, provided no overriding interests of the data subject prevail.
Where information is set or read on your device, we additionally examine the requirements of § 25 TDDDG: technically strictly necessary accesses are exempt from consent (§ 25 (2) TDDDG); all others only after your explicit consent (§ 25 (1) TDDDG).
3.3 Deletion and Retention Period
Personal data is deleted or anonymized as soon as the purpose of storage no longer applies. Any storage beyond this only occurs if provided by legal retention obligations – in particular § 257 HGB (6 or 10 years) and § 147 AO (6 or 10 years) – or to assert, exercise or defend legal claims (regular limitation period § 195 BGB: 3 years). A consolidated overview is in Section 21.
4. Your Rights as a Data Subject
4.1 Right of Access (Art. 15 GDPR)
You have the right to know whether and which personal data we process about you, including processing purposes, data categories, recipients, planned storage duration, origin, automated decision-making and (for third-country transfers) Art. 46 GDPR safeguards.
4.2 Right to Rectification (Art. 16 GDPR)
You have the right to immediately demand the correction of incorrect data or the completion of incomplete data.
4.3 Right to Erasure ("Right to be Forgotten", Art. 17 GDPR)
You may request deletion of your data unless processing is necessary for the right to freedom of expression and information, compliance with a legal obligation, public interest, or for the assertion, exercise or defense of legal claims.
For a structured deletion request, please use our form: Submit a data deletion request →
4.4 Right to Restriction of Processing (Art. 18 GDPR)
You may request restriction of processing if you contest the accuracy of the data, the processing is unlawful, or we no longer need the data but you need it to assert, exercise or defend legal claims.
4.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive the data you have provided in a structured, common and machine-readable format, or to demand its direct transmission to another controller, where technically feasible.
4.6 Right to Object (Art. 21 GDPR)
Where we process your data on the basis of legitimate interests (Art. 6 (1)(f) GDPR), you have the right to object to such processing at any time for reasons arising from your particular situation. You may object to processing of your data for direct marketing purposes at any time without giving reasons (Art. 21 (2) GDPR).
4.7 Right of Withdrawal (Art. 7 (3) GDPR)
Once given (e.g. for cookies, analytics, advertising), you may revoke consent at any time with effect for the future. The legality of processing carried out until withdrawal remains unaffected. You can exercise withdrawal for cookie consents at any time via the cookie settings symbol (bottom left of the website).
4.8 Right to Complain (Art. 77 GDPR)
You may complain to any EU data protection supervisory authority. Responsible for us:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit Postfach 3163, 65021 Wiesbaden, Germany Phone: +49 611 1408 - 0 Email: poststelle@datenschutz.hessen.de Web: datenschutz.hessen.de
4.9 Exercising Your Rights
A simple email to office@cogswell.de is sufficient. We respond within the period of Art. 12 (3) GDPR (usually one month, extendable by two further months). We may request appropriate evidence to verify identity.
5. Hosting & Server Log Files
5.1 Hosting Provider
ALL-INKL.COM — Neue Medien Münnich Owner: René Münnich Hauptstraße 68, 02742 Friedersdorf, Germany Server location: exclusively Germany
A data processing agreement under Art. 28 GDPR exists with ALL-INKL. No third-country transfer takes place.
5.2 Server Log Files
On each request the server automatically records:
- IP address (shortened/pseudonymized),
- Date, time and time zone of access,
- Name and URL of the requested file,
- Data volume transferred,
- HTTP status code,
- Operating system and browser version used,
- Referrer URL,
- Hostname and internet service provider.
Purposes: Stability, security, defense against cyberattacks (DDoS, brute force), error diagnosis.
Legal basis: Art. 6 (1)(f) GDPR.
Retention period: Maximum 7 days, then automatic deletion. Longer storage only in the event of a specific security incident until final clarification.
6. Cookies, Local Storage & Consent Management
6.1 General
On our website we use cookies and comparable technologies (Local Storage, Session Storage, pixels). Cookies are small text files stored in your browser containing certain information. We distinguish according to § 25 TDDDG and the GDPR in three categories:
6.2 Categories
Necessary (always active, exempt from consent under § 25 (2) TDDDG):
| Name / Key | Purpose | Retention |
|---|---|---|
cogswell_session |
Session ID, functionality | End of session |
cogswell_consent_v2 |
Storage of your cookie choice | 12 months |
cogswell-a11y-v1 (local storage) |
Accessibility settings | Permanent (local) |
cf_chl_* (Cloudflare Turnstile) |
Bot protection on forms | End of session |
Legal basis for necessary cookies: Art. 6 (1)(f) GDPR in conjunction with § 25 (2) No. 2 TDDDG (technically strictly necessary for a telemedia service expressly requested by the user).
Statistics / Analytics (only with consent): Google Analytics 4 (see Section 12).
Marketing (only with consent): Google Ads (see Section 13), Meta Ads / Meta Pixel (see Section 14).
6.3 Consent and Withdrawal
Statistics and marketing cookies are set only after your explicit, informed consent via our cookie banner (consent management tool). Before consent, no cookies are set and no connections to the respective providers are established ("consent-first pattern").
Legal basis: Art. 6 (1)(a) GDPR in conjunction with § 25 (1) TDDDG.
You can change or revoke your choice at any time via the cookie settings symbol (bottom left of every page). Additionally, you can disable cookies in your browser or delete already-set cookies. This may limit the website's functionality.
7. Contact and Order Forms
When you use the contact form, careers form, cancellation form or one of our order forms, your data (e.g. name, company, address, email, phone, message) is processed to handle your inquiry.
Transmission is encrypted via HTTPS to our service provider FormSubmit (Formspark LLC, USA), which converts the inquiry into an email to office@cogswell.de. FormSubmit does not store the data permanently.
Legal basis: Art. 6 (1)(b) GDPR (pre-contractual measures) or (f) (legitimate interest in responding to inquiries). A data processing agreement with EU standard contractual clauses is concluded with FormSubmit.
Retention period: Deletion after final processing, unless commercial or tax retention obligations (§ 257 HGB, § 147 AO – up to 10 years) prevent this.
8. Payments via Stripe
For processing paid orders (e.g. maintenance contracts via SEPA direct debit) we use Stripe Payments Europe, Ltd. (SPEL), 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
When you start payment you are redirected to Stripe's secure checkout page. You enter payment data (IBAN, BIC, account holder) directly with Stripe; we only receive a confirmation of successful payment and a transaction ID.
Legal bases: Art. 6 (1)(b) GDPR (payment contract), (f) (fraud prevention), (c) (statutory retention obligations, e.g. PSD2). A data processing agreement is concluded with Stripe. Stripe privacy policy: stripe.com/privacy.
9. Bot Protection (Cloudflare Turnstile)
On our forms we use Cloudflare Turnstile, a CAPTCHA replacement from Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Turnstile checks based on technical signals (browser fingerprint, behavioral patterns) whether the request comes from a human. A pseudonymous identifier and the IP address are transmitted.
Legal basis: Art. 6 (1)(f) GDPR (protection against spam and abuse of our forms).
Third country: Cloudflare is certified under the EU-US Data Privacy Framework; additionally, EU standard contractual clauses exist. Privacy policy: cloudflare.com/privacypolicy.
10. AI Chatbot with Anthropic Claude
10.1 Function and Processing Chain
We use an AI-powered chatbot on this website that answers questions about our services and – upon request – prepares contact. Processing takes place in several stages, which we present transparently:
10.2 Delivery of the Chat Widget (Google Firebase)
The chat widget itself is delivered via Google Firebase Hosting of Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin 4, Ireland. When you open the chat, technical connection data (IP address, browser type, language, timestamp) is transmitted to Firebase to enable delivery. Intra-group transmission to Google LLC (USA) is possible; Google LLC is certified under the EU-US Data Privacy Framework.
Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in a low-threshold support channel).
10.3 Content Processing by Anthropic Claude
Responses to your messages are generated by the language model Claude of Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA. The content of your message – together with a context defined by us (e.g. information about our services, tone, response rules) – is transmitted via API to Anthropic's servers and processed there to generate a response.
Categories of data processed:
- The message text you enter (including all content you voluntarily enter – e.g. name, company, email, phone, request),
- The course of the current conversation (session context),
- Technical metadata of the API request (timestamp, model version, token volume, request ID).
Protective measures at Anthropic:
- Anthropic does not use API inputs to train its models (standard setting for API customers, contractually assured).
- A Data Processing Addendum (DPA) under Art. 28 GDPR including EU Standard Contractual Clauses (SCCs) is in place with Anthropic.
- Anthropic is certified, among others, to ISO/IEC 27001:2022 (information security), ISO/IEC 42001:2023 (AI management systems) and SOC 2 Type I & II.
- Data is encrypted in transit (TLS) and at rest.
- API inputs and outputs are stored at Anthropic by default for up to 30 days for security and abuse monitoring purposes; then deleted. In case of suspected violations of the terms of use, the storage period may be longer.
Legal bases: Art. 6 (1)(b) GDPR (pre-contractual measures) and Art. 6 (1)(f) GDPR (legitimate interest in an efficient AI-supported support channel). For transmission to the USA: Art. 46 (2)(c) GDPR (EU standard contractual clauses) and additional technical and organizational measures.
Anthropic privacy policy: www.anthropic.com/privacy.
10.4 Handover to Our CRM (see Section 11)
If a specific business case arises from your chat inquiry (e.g. callback request, quote request, appointment request), we transfer the conversation content and contact data to our own CRM system – see Section 11.
10.5 Notice Before Using the Chatbot
Before the first input, the chat window transparently displays:
- that your message is processed by an AI system (Anthropic Claude),
- that transmission to a service provider in the USA occurs,
- that for specific requests a handover to our CRM takes place,
- that you should not enter sensitive data (health data, bank/cardholder data, passwords),
- that email, phone or contact form are available as alternatives.
By actively sending a message, you confirm that you have taken note of this information. Use of the chatbot is voluntary.
11. Self-Developed CRM System (Open-Source Basis)
11.1 System Description
For maintaining and managing customer and prospect relationships we use a self-developed CRM system based on the open-source, self-hostable CRM software Perfex CRM. We have extensively customized, hardened and extended this with our own modules. We host the CRM on our own, self-controlled infrastructure in Germany (see Section 5) – it is not a SaaS or cloud solution from a third party. The entire data inventory remains under our sole control within the EU.
The transfer of data from the AI chatbot or from forms to the CRM takes place via an internally secured, encrypted API.
11.2 Categories of Data Processed
In the CRM the following are particularly processed:
- Master data: First and last name, optionally company, function, address,
- Communication data: Email address, phone number, possibly other channels,
- Process data: Content of your inquiry, course of correspondence, chat log (if taken over from the AI chatbot), internal notes by our employees, tasks and reminders,
- Contract data: Contract status, scope of services, terms, tickets,
- Metadata: Time of contact, source (chatbot, form, email, phone), processing status, assigned contact person.
11.3 Purpose Limitation
Processing serves exclusively:
- The proper handling of your inquiries,
- Initiation, performance and execution of contracts,
- Internal documentation and traceability,
- Compliance with commercial and tax retention obligations,
- Possibly assertion, exercise or defense of legal claims.
Use of your CRM data for profiling, scoring, automated decisions or sale to third parties expressly does not occur.
11.4 Legal Bases
- Art. 6 (1)(b) GDPR – pre-contractual measures and performance of contracts,
- Art. 6 (1)(c) GDPR – fulfillment of legal obligations (in particular HGB/AO retention),
- Art. 6 (1)(f) GDPR – legitimate interest in orderly customer communication and case management.
11.5 Recipients and Third-Country Transfer
Access to the CRM is granted exclusively to authorized employees of Cogswell IT, who are obliged to confidentiality. No transmission to third parties or to third countries takes place. Backups are stored exclusively in Germany.
11.6 Retention Period
- Inquiries without business conclusion: Deletion at the latest 12 months after last contact.
- Active customer relationships: For the duration of the business relationship.
- Terminated customer relationships: 3 years after end of business relationship (limitation period § 195 BGB), then deletion – unless longer commercial/tax retention obligations apply (up to 10 years under § 257 HGB, § 147 AO).
11.7 Software Basis (Perfex CRM)
As the technical basis of our CRM system we use Perfex CRM – a self-hostable, openly distributed PHP-based CRM application. The source code is fully provided to us by the provider and has been extensively adapted, supplemented and security-hardened by us for our purposes and to meet GDPR requirements. The application is operated exclusively on our own German server infrastructure (see Section 5); there is no automatic data transmission to the software manufacturer. Updates of the base system are checked by us before being applied. Controlling the source code enables us complete transparency over all data flows within the application.
12. Web Analytics with Google Analytics 4
12.1 Provider and Purpose
Only with your consent via our cookie banner do we use the web analytics service Google Analytics 4 (GA4).
Provider: Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin 4, Ireland ("Google EU"). Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses cookies and similar technologies that enable analysis of your use of the website. Information generated by the cookie about your use of this website is generally transmitted to a Google server in the USA and stored there.
12.2 Data Processed
- Device/browser data: Browser type and version, operating system, screen resolution, language,
- Location data (rough, based on IP address, IP anonymization is active by default in GA4),
- IP address (processed shortened),
- Usage data: Pages visited, click paths, duration of stay, scroll depth, referrer (origin page),
- Pseudonymous online identifiers (client ID, session ID),
- Conversion events (e.g. submitting a form).
12.3 Cookies (Selection)
| Cookie | Purpose | Retention |
|---|---|---|
_ga |
Pseudonymous user distinction | Up to 2 years |
_ga_<container-id> |
Session/state management | Up to 2 years |
_gid |
Pseudonymous user distinction | 24 hours |
12.4 Privacy Settings
We have activated the following protection measures in GA4:
- IP anonymization (default in GA4, shortening of IP address before storage),
- Data retention limited to 14 months,
- Data use for Google advertising products only to the extent the marketing consent covers,
- No Google Signals tracking without explicit consent.
12.5 Legal Bases
- Setting cookies / reading from device: § 25 (1) TDDDG (consent).
- Subsequent data processing: Art. 6 (1)(a) GDPR (consent).
- Third-country transfer: Google LLC is certified under the EU-US Data Privacy Framework (Art. 45 GDPR); additionally, EU standard contractual clauses exist (Art. 46 (2)(c) GDPR).
A data processing agreement under Art. 28 GDPR is concluded with Google (Google Ads Data Processing Terms / Measurement Controller-Controller Data Protection Terms).
12.6 Withdrawal and Opt-Out
You can withdraw consent at any time via our cookie banner. Alternatively, you can permanently prevent collection by Google Analytics using the "Google Analytics Opt-out Browser Add-on" at tools.google.com/dlpage/gaoptout.
Google privacy policy: policies.google.com/privacy.
13. Online Advertising with Google Ads (Conversion Tracking and Remarketing)
13.1 Provider and Purpose
Only with your consent we use Google Ads of Google Ireland Limited (address as above) for online advertising. We use:
- Google Ads Conversion Tracking: Measurement whether a person who came to us via a Google ad performs a specific action (e.g. submit form, complete order).
- Google Ads Remarketing / Dynamic Remarketing: Re-targeting people who have visited our website with targeted ads on other websites within the Google advertising network (incl. YouTube).
13.2 Data Processed
- Pseudonymous cookie IDs / device IDs,
- IP address (shortened),
- Pages called up and conversion events triggered,
- Timestamps,
- For "Enhanced Conversions" optionally hashed email addresses you have entered in a form, for better conversion mapping (joint controllership, see 13.4).
13.3 Cookies (Selection)
| Cookie | Purpose | Retention |
|---|---|---|
_gcl_au |
Google Ads conversion tracking | 90 days |
NID |
Personalization / ad delivery | 6 months |
IDE |
Conversion measurement and targeting (Google domain) | Up to 13 months |
test_cookie |
Test cookie support | 15 minutes |
13.4 Joint Controllership (Art. 26 GDPR)
If we use "Enhanced Conversions" or functions in which we provide Google with data for advertising measurement purposes, we are joint controllers with Google within the meaning of Art. 26 GDPR for the collection of data and its transmission to Google. The subsequent processing by Google in its own responsibility takes place on the basis of Google's privacy policy. A joint controller agreement with Google (Google Ads Data Protection Terms, Controller-Controller Annex) is in place.
13.5 Legal Bases
- Cookies / device access: § 25 (1) TDDDG (consent),
- Data processing: Art. 6 (1)(a) GDPR (consent),
- Third-country transfer: DPF (Art. 45 GDPR) + SCCs (Art. 46 (2)(c) GDPR).
13.6 Withdrawal
Revocable at any time via our cookie banner. You can additionally disable personalized advertising at adssettings.google.com.
14. Online Advertising with Meta Ads (Meta Pixel and Conversion API)
14.1 Provider and Purpose
Only with your consent we use advertising and analytics tools from Meta:
Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland ("Meta EU"). Parent company: Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA.
Used:
- Meta Pixel (tracking pixel in browser): Measurement of the effectiveness of our advertisements on Facebook and Instagram, formation of target groups (custom/lookalike audiences), remarketing.
- Meta Conversion API (CAPI): Server-to-server transmission of conversion events directly from our system to Meta, supplementing the browser pixel. We use CAPI with the privacy-friendly default settings (hashing of personal data before transmission).
14.2 Data Processed
- IP address,
- Pseudonymous device and browser identifiers (
_fbp,fbc), - Pages called up, events triggered (PageView, Lead, Purchase, Contact),
- User agent, referrer,
- Optionally hashed (SHA-256) contact data such as email or phone number, if you have actively entered them in a form (for "Advanced Matching" or CAPI).
14.3 Cookies (Selection)
| Cookie | Purpose | Retention |
|---|---|---|
_fbp |
Browser identifier for conversion measurement | 90 days |
fbc |
Click identifier (when clicking on Meta ad) | 90 days |
fr (on facebook.com) |
Ad delivery | 90 days |
14.4 Joint Controllership with Meta (Art. 26 GDPR)
For the collection of your data by the Meta Pixel or CAPI and its transmission to Meta, we are joint controllers with Meta within the meaning of Art. 26 GDPR. Meta and we have concluded a Joint Processing Agreement ("Controller Addendum") pursuant to Art. 26 GDPR, in which the respective responsibilities are defined:
- We are responsible for fulfilling the information obligations under Art. 13, 14 GDPR (this declaration) and for obtaining consent before activating the pixel/CAPI.
- Meta is responsible for the subsequent processing of data for ad delivery, measurement and ensuring data subject rights against Meta users.
You can assert data subject rights both with us and directly with Meta. The agreement is available at: www.facebook.com/legal/controller_addendum.
14.5 Legal Bases
- Cookies / device access: § 25 (1) TDDDG (consent),
- Data processing: Art. 6 (1)(a) GDPR (consent),
- Third-country transfer: Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework (Art. 45 GDPR); additionally, EU standard contractual clauses exist (Art. 46 (2)(c) GDPR).
14.6 Withdrawal
Revocable at any time via our cookie banner. Logged-in Meta users can additionally disable personalized advertising in the advertising settings of their Meta account.
Meta privacy policy: www.facebook.com/privacy/policy.
15. Accessibility Widget (AccessKit)
Our own widget "AccessKit" allows you to adjust font size, contrast, motion and read-aloud settings. Your choice is stored exclusively locally in your browser (Local Storage, key cogswell-a11y-v1). There is no transmission to our servers or third parties.
Legal basis: Art. 6 (1)(f) GDPR and § 25 (2) No. 2 TDDDG (technically necessary for a service expressly requested by the user).
16. Locally Hosted Fonts
The fonts used (Inter, JetBrains Mono and Caveat) are delivered locally from our server in Germany. There is no connection to Google Fonts or other third-party servers; your IP address is not transmitted to external font providers.
17. Data Security (Technical and Organizational Measures)
We take appropriate technical and organizational measures under Art. 32 GDPR to protect your data against unauthorized access, loss, alteration or destruction. These include in particular:
- Transport encryption of the entire website via TLS 1.2/1.3 (HTTPS),
- Encryption of sensitive data at rest (in particular CRM database, backups),
- Access control with role-based authorization concept, strong passwords and 2-factor authentication for administrative access,
- Regular security updates of the operating system, web server software, open-source CRM base and all applications,
- Backups with encryption; storage location exclusively Germany,
- Logging of security-relevant events,
- Confidentiality obligations for all employees pursuant to Art. 28 (3)(b) and Art. 29 GDPR,
- Training on data protection and IT security,
- Hardening of servers and applications according to common best-practice standards (including OWASP).
Our security measures are continuously adapted to the state of the art.
18. Automated Decision-Making and Profiling
Automated decision-making in individual cases including profiling within the meaning of Art. 22 GDPR with legal effect against you or similarly significant impairment does not take place.
Note on the AI chatbot (Claude): The chatbot generates responses based on language models. These responses serve purely for information and service support; they have no legally binding character and make no decisions about you (e.g. about contract conclusion, conditions, creditworthiness). Binding decisions are made exclusively by our employees.
Note on advertising platforms (Google Ads, Meta Ads): The platforms may form statistical profiles when delivering ads. These profiles are not created by us and do not lead to any legally significant decision against you.
19. Third-Country Transfers
Within the framework of the above-mentioned services, data is transmitted to third countries outside the EU/EEA – in particular to the USA. Such transfers only take place on the basis of recognized safeguards:
19.1 Adequacy Decision under Art. 45 GDPR
For the following US companies, certification under the EU-US Data Privacy Framework (DPF) exists:
- Google LLC (Google Ireland Limited, Google Analytics, Google Ads, Google Firebase),
- Cloudflare, Inc. (Cloudflare Turnstile),
- Meta Platforms, Inc. (Meta Ireland, Meta Ads / Meta Pixel).
A current overview of certified US companies is at dataprivacyframework.gov/list.
19.2 EU Standard Contractual Clauses under Art. 46 (2)(c) GDPR
With the following recipients we have concluded – additionally or instead of the DPF – EU standard contractual clauses (SCCs) in the current version (Implementing Decision 2021/914):
- Anthropic, PBC (AI chatbot Claude),
- FormSubmit / Formspark LLC (form processing),
- Additionally for all other US group parts of the companies mentioned in 19.1.
19.3 Additional Safeguards
Where necessary, we have agreed or set up additional technical and organizational measures, in particular encryption in transit and at rest, short retention periods, contractual commitments not to use for AI training (Anthropic) and audit rights.
19.4 Residual Risk and Transparency Notice
Despite these safeguards, we cannot completely exclude that US authorities may access data within the scope of their national powers (e.g. FISA 702, CLOUD Act). Particularly in the AI chatbot and with marketing tools, we therefore ask you not to enter sensitive personal data whose transmission to the USA you do not want. If you reject this in principle, you can disable the statistics and marketing categories in the cookie banner and reach us via email, phone or contact form.
20. Processors and Recipients Overview
We use the following service providers. With all of them, contracts under Art. 28 GDPR (processing) or Art. 26 GDPR (joint controllership, where applicable) exist:
| Provider | Location | Purpose | Role | Third-Country Mechanism |
|---|---|---|---|---|
| ALL-INKL.COM (Neue Medien Münnich) | Friedersdorf, Germany | Hosting, server, mail accounts, CRM hosting | Processor | – (EU) |
| Stripe Payments Europe, Ltd. | Dublin, Ireland | Payment processing | Processor / own responsibility | DPF + SCC (group-internal USA) |
| Cloudflare, Inc. | San Francisco, USA | Bot protection (Turnstile) | Processor | DPF + SCC |
| Google Ireland Limited / Google LLC | Dublin, Ireland / USA | Firebase Hosting (chatbot widget), Google Analytics 4, Google Ads | Processor; partly joint controllership (Enhanced Conversions) | DPF + SCC |
| Anthropic, PBC | San Francisco, USA | AI language model "Claude" for chatbot responses | Processor | SCC + DPA |
| Meta Platforms Ireland Limited / Meta Platforms, Inc. | Dublin, Ireland / USA | Meta Ads, Meta Pixel, Conversion API | Joint controller (Art. 26 GDPR) for collection and transmission; own responsibility for subsequent processing | DPF + SCC |
| FormSubmit / Formspark LLC | USA | Form-to-email forwarding | Processor | SCC |
21. Retention Periods Overview
| Data Category | Retention Period |
|---|---|
| Server log files | Max. 7 days |
| Cookie consent record | 12 months |
| Contact form inquiries (without business conclusion) | After processing, at the latest 12 months |
| Order data / contract documents | Duration of business relationship + up to 10 years (§ 257 HGB, § 147 AO) |
| Chat sessions without business case | After session end, at the latest 30 days |
| Chat sessions with handover to CRM | Like CRM data |
| Anthropic API (provider side) | Up to 30 days (security / abuse review) |
| CRM – active customer relationship | Duration of business relationship |
| CRM – terminated customer relationship | 3 years after termination (§ 195 BGB), max. 10 years (HGB/AO) |
| CRM – prospects without business conclusion | Max. 12 months from last contact |
| Google Analytics 4 | Data retention 14 months |
| Google Ads cookies | Up to 13 months (IDE), or 90 days (_gcl_au) |
| Meta Pixel cookies | 90 days |
| Payment receipts (Stripe) | 10 years (tax law) |
22. Minors
Our offerings are generally aimed at adults. Persons under 16 years of age should not transmit personal data to us without the consent of their legal guardians (Art. 8 GDPR in conjunction with § 25 (1) TDDDG). We do not request personal data from children, do not collect them and do not pass them on to third parties. If we discover that we have inadvertently collected data of a child without the necessary consent, we will delete it immediately.
23. Currency and Changes to this Privacy Policy
This privacy policy is currently valid and has the status 14 May 2026. Due to the further development of our website and offerings or due to changed legal or official requirements, it may become necessary to adapt this privacy policy. The currently valid version is available on this page at any time. We recommend that you regularly inform yourself about changes.