Data Privacy Statement

    Legal Notice

    This English version is a translation for convenience only. The German version is legally binding.

    I. Name and Address of Controller

    The controller as per the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States, as well as other provisions of data protection law, is:

    Conformitas Legal GmbH
    Gutenbergstraße 12
    65428 Rüsselsheim am Main
    Germany

    Represented by: Paul Stephan
    Contact
    Phone: +49 (0) 6142 9673023
    Email: info@conformitas.legal

    II. Rights of the Data Subject

    If your personal data is being processed, you are a data subject as per the GDPR and have the following rights with respect to the controller:

    • Right to Information: You may request confirmation as to whether your personal data is being processed and, if so, obtain information about the purposes, categories, recipients, storage period, rights to rectification or erasure, restriction or objection, the right to lodge a complaint, source of data, and the existence of automated decision-making (including profiling).
    • Right to Rectification: You may request the correction or completion of inaccurate or incomplete personal data.
    • Right to Restriction of Processing: You may request restriction under certain conditions, such as contesting accuracy, unlawful processing, data no longer needed except for legal claims, or pending verification of an objection.
    • Right to Deletion: You may request deletion of your personal data without undue delay under certain conditions (e.g., data no longer necessary, withdrawal of consent, objection, unlawful processing, legal obligation, or data collected from minors for information society services). Exceptions apply where processing is necessary for freedom of expression, legal obligations, public interest, research, or legal claims.
    • Right to Notification: When your data is rectified, deleted, or processing restricted, recipients of your data will be informed unless this is impossible or involves disproportionate effort. You have the right to be informed about those recipients.
    • Right to Data Portability: You may receive your personal data in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller, where technically feasible.
    • Right to Object: You may object at any time to processing based on legitimate interests or for direct marketing purposes, including profiling.
    • Right to Revoke Consent: You may revoke your consent at any time. Revocation does not affect the lawfulness of processing prior to revocation.
    • Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for a contract, authorized by law, or based on explicit consent, with appropriate safeguards.
    • Right to Lodge a Complaint: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR.

    III. General Information on Data Processing

    Scope: We process users' personal data only to the extent necessary to provide a functional website and our content and services. Processing typically occurs after obtaining user consent, except where legally permitted without consent.

    Legal Basis: Processing is based on user consent (Art. 6(1)(a) GDPR), contract performance (Art. 6(1)(b) GDPR), legal obligations (Art. 6(1)(c) GDPR), vital interests (Art. 6(1)(d) GDPR), or legitimate interests (Art. 6(1)(f) GDPR).

    Data Deletion and Storage: Personal data is deleted or blocked as soon as the purpose for storage no longer applies or as required by law.

    IV. Provision of the Website and Creation of Log Files

    Data Collected: Each time our website is accessed, the system automatically collects data. This may include: browser type/version, operating system, internet service provider, IP address, date/time of access, referring websites, and accessed websites. This data is stored in log files and not combined with other personal data.

    Legal Basis: The temporary storage of data and log files is based on our legitimate interest in secure and functional provision of our website (Art. 6(1)(f) GDPR).

    Purpose: The data is processed to enable website delivery, ensure functionality, optimize the website, and ensure the security of our information technology systems. No evaluation of the data for marketing purposes takes place in this context.

    Storage Period: Data is deleted as soon as it is no longer required for achieving the purpose of its collection. Data for website operation is deleted when the respective session ends. Log files are generally deleted after seven days, unless further storage is required for evidentiary purposes. In this case, IP addresses are pseudonymized or deleted.

    Objection and Deletion: The collection of data for website provision and storage in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

    V. Use of Cookies

    Technically Necessary Cookies: Our website uses cookies that are necessary for technical functionality and user-friendly design. Cookies are text files that are stored in your browser. Some functions of our site cannot be offered without the use of cookies (e.g., storage of language settings). The legal basis for the use of technically necessary cookies is our legitimate interest pursuant to Art. 6(1)(f) GDPR.

    Analytik and Tracking Cookies: In addition, we use cookies for analytics and tracking purposes to evaluate the use of our website and improve our offering. This only happens if you have given us your explicit consent via our cookie banner. The legal basis for this is Art. 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future. Details about the services used can be found in the section on processors and third-party services.

    Storage Period, Objection, and Deletion: Cookies are stored on your computer. You can control cookies at any time via your browser settings, restrict their storage, or delete already stored cookies. Please note that disabling cookies may limit the functionality of our website.

    VI. Processors and Third-Party Services

    For certain processing activities, we use specialized, external service providers (processors). We ensure through the conclusion of data processing agreements that all service providers process your data only on our instructions and in accordance with GDPR requirements.

    • Cloudflare (Hosting/CDN): We use the services of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as a Content Delivery Network (CDN) and to increase the security and delivery speed of our website. This represents a legitimate interest pursuant to Art. 6(1)(f) GDPR. For this purpose, Cloudflare processes the IP addresses of visitors and other technical data.
    • Zoho (Live Chat and Web Analytik): We use Zoho Desk and Zoho SalesIQ from Zoho Corporation B.V. (Hoogoorddreef 15, 1101 BA Amsterdam, Netherlands) on our website.
    • Zoho Desk: We use Zoho Desk to provide a chat window for direct communication with you. When you actively use this chat window, your inputs (name, email address, chat content) as well as your IP address and technical information about your browser are processed to respond to your inquiry. The legal basis is your consent through active use of the chat (Art. 6(1)(a) GDPR) or the initiation of a contractual relationship (Art. 6(1)(b) GDPR).
    • Zoho SalesIQ: If you have given your consent via the cookie banner (Art. 6(1)(a) GDPR), we use Zoho SalesIQ to analyze user behavior on our website (e.g., pages visited, duration of stay). This helps us optimize our offering. You can revoke this consent at any time.
    • OpenAI (AI Chatbot): Within our chat window, we use technologies from OpenAI, L.L.C. (3180 18th Street, San Francisco, CA 94110, USA) to automatically answer inquiries. When you use the chat, your entered conversation content is transmitted to OpenAI for processing. The legal basis for this processing is your explicit consent (Art. 6(1)(a) GDPR), which is obtained before starting the chat. Please do not enter sensitive personal data in the chat window.
    • ElevenLabs (AI Telephony): For conducting phone conversations, sometimes using AI-generated speech, we use the service of ElevenLabs Inc. (401 2nd Ave, New York, NY 10010, USA). Your phone number, conversation content (audio data), and call metadata are processed. The legal basis for processing depends on the context: fulfillment of a contract or implementation of pre-contractual measures (Art. 6(1)(b) GDPR) as well as your consent, particularly for processing voice data (Art. 6(1)(a) GDPR).
    • Resend (Email): We use Resend (Resend Inc., 548 Market St, PMB 49972, San Francisco, CA 94104-5401, USA) for sending transactional and system notification emails. Your email address and message content are processed exclusively for the purpose of email delivery.
    • Twilio (Telephony): We use Twilio (Twilio Inc., 101 Spear Street, 5th Floor, San Francisco, CA 94105, USA) to manage calls. Data such as phone numbers, call metadata, and, where applicable, conversation content are processed for providing communication services.
    • Supabase (Backend): Our application backend and data storage are hosted on Supabase (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992). Personal data you provide (e.g., login credentials) is stored and processed via the Supabase infrastructure.
    • Hostinger (Automation): We use the hosting services of Hostinger International Ltd. (Lordou Vironos 61, 6023 Larnaca, Cyprus) for operating automation processes. These processes are necessary for the efficient provision and management of our services. The legal basis for processing data in these automations is our legitimate interest in efficient business operations (Art. 6(1)(f) GDPR) or contract fulfillment (Art. 6(1)(b) GDPR).
    • Google (Cloud Services): We use various cloud services from Google, provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) and its parent company Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). These services include, for example, data storage, internal organization, and communication. Processing serves to fulfill contractual obligations (Art. 6(1)(b) GDPR) as well as our legitimate interest in secure and efficient IT infrastructure (Art. 6(1)(f) GDPR). When using these services, data may be transferred to the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection.

    When using these providers, personal data may be transferred to countries outside the European Economic Area (EEA), particularly to the USA. We ensure that an adequate level of data protection is guaranteed through appropriate safeguards (e.g., EU Standard Contractual Clauses or adequacy decisions such as the EU-U.S. Data Privacy Framework).

    VII. Contact Form and E-Mail Contact

    Description and Scope: When using the contact form, the data entered (e.g., email address) is sent to and stored by us. Consent is obtained during submission. Alternatively, you can contact us by email; in this case, the data sent is stored. Data is not disclosed to third parties and is used solely for processing the conversation.

    Legal Basis: Processing is based on your consent (Art. 6(1)(a) GDPR) or, for contract-related inquiries, on Art. 6(1)(b) GDPR. Our legitimate interest (Art. 6(1)(f) GDPR) lies in the efficient processing of inquiries.

    Purpose: The data is used to process your inquiry and ensure IT security.

    Storage Period: Data is deleted when it is no longer needed for the purpose of the conversation and no legal retention obligations exist.

    Objection and Deletion: You can revoke your consent at any time. If you object to storage, the conversation cannot continue and all related data will be deleted, unless legal retention obligations exist.

    VIII. Obligation to Provide Data

    In principle, there is no legal or contractual obligation for you to provide us with your personal data. However, for purely informational use of our website, the processing of the technical data mentioned under point IV is absolutely necessary.

    If you wish to use certain services such as contacting us or concluding a contract, the provision of the personal data required for this purpose is necessary. Failure to provide this data means that we cannot provide the desired service.

    This Data Privacy Statement is current as of September 16, 2025.