1. Data controller
The controller within the meaning of the GDPR is: Rückerl und Abram – Online-helfer GbR, Lehmbruckstraße 10, 50939 Köln, Germany. Phone: 0156 79220483, email: [email protected].
We take the protection of your personal data very seriously and explain here what data we collect, how we process it and what rights you have.
2. Data processing when visiting the website
When you access our website we automatically collect technically necessary data transmitted by your browser:
- Pages visited
- Date and time of the visit
- Volume of data transferred
- Referrer URL
- Browser and version
- Operating system
- IP address (anonymised where applicable)
The legal basis is our legitimate interest (Art. 6 (1) (f) GDPR) in secure, stable operation. This data is not shared with third parties except to ward off attacks or enforce legal claims.
3. Hosting and technical service providers
To provide, secure and operate our website we use the following service providers, each under a data processing agreement:
- Cloudflare, Inc. (USA) – hosting and delivery of our website (Cloudflare Pages), protection against attacks, and storage of form and order data in a database (Cloudflare D1) and of files (Cloudflare R2). Processing takes place on Cloudflare's global infrastructure; Cloudflare is certified under the EU-US Data Privacy Framework.
- Google Ireland Ltd. / Google LLC (USA) – sending of notification and confirmation emails via Google Workspace. Google is certified under the EU-US Data Privacy Framework.
- IONOS SE (Germany) – storage of customer/project files (e.g. generated quotes) in HiDrive cloud storage; servers in Germany.
The legal basis is Art. 6 (1) (f) GDPR (secure, functional operation), plus Art. 6 (1) (b) GDPR for shop order processing.
Where personal data is transferred to the USA in this context (Cloudflare, Google, Stripe, Turnstile), we base the transfer on the EU Commission's adequacy decision regarding the EU-US Data Privacy Framework, insofar as the respective provider is certified. In addition, and in the event that certification no longer applies, we have agreed the EU Commission's Standard Contractual Clauses (Art. 46 (2) (c) GDPR) with these providers. You may request a copy of the safeguards from us.
4. Cookies and local storage
For technically necessary functions we use local browser storage: the shopping cart in the theme shop is stored in your browser (localStorage) so your selection is retained. This data never leaves your browser and is not used for advertising; you can delete it at any time via your browser settings. In addition, we set statistics and marketing cookies (e.g. from Google and Meta) only after your explicit consent via our cookie banner – see the section “Consent and cookie banner” below for details. Without your consent these are not loaded.
Our security and hosting provider Cloudflare may set technically necessary cookies to defend against attacks and bots. The legal basis for technically necessary storage is § 25 (2) TDDDG and Art. 6 (1) (f) GDPR. We do not use consent-requiring cookies without your prior consent.
5. Contacting us and forms
If you contact us by email, phone or via our forms (contact form, quote configurator, appointment booking for a free intro call), we process your details solely to handle your enquiry. The legal basis is Art. 6 (1) (f) GDPR, plus (b) where a contract is initiated. Data is deleted once it is no longer needed for processing and no statutory retention obligations apply.
Your form details are stored in a database at our hosting provider Cloudflare (Cloudflare D1) and displayed for processing in our password-protected internal dashboard. To notify us of your enquiry and to confirm receipt to you, we send emails via Google Workspace (see section 3). No data is shared for advertising purposes.
6. Social media
On our website we only link to our profiles on social networks (e.g. via icons in the footer). No social media plugins are embedded – simply visiting our pages does not transmit any data to these networks. Only when you click such a link are you taken to the respective provider, whose own privacy policy then applies.
7. Data security
We have taken technical and organisational measures to protect your data against loss, misuse and unauthorised access. Transmission is encrypted (SSL/TLS).
8. Your rights
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Withdrawal of consent (Art. 7 (3) GDPR)
- Objection (Art. 21 GDPR)
- Complaint to a supervisory authority (Art. 77 GDPR)
The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany ([email protected], www.ldi.nrw.de). You may also contact the supervisory authority at your place of residence.
9. Storage period
Your data is stored only for as long as necessary for the stated purposes or as required by statutory retention periods. In detail:
- Server/access data (section 2): processed only temporarily; deleted or anonymised within 14 days at the latest, unless needed longer to ward off attacks.
- Contact and form enquiries (section 5): deleted once the enquiry has been conclusively handled – generally within 6 months at the latest, provided no contract is concluded and no statutory retention obligations apply.
- Appointment / intro-call data: deleted within 6 months of the appointment at the latest, unless a further business relationship arises.
- Order and contract data incl. proof of withdrawal waiver (section 11): up to 10 years in accordance with tax and commercial retention periods (§ 147 AO, § 257 HGB).
- Cancellation requests: for the duration of processing and to evidence contract termination within the statutory periods.
- Reach/affiliate analysis (sections 10, 12): aggregated only and without personal reference; no personal storage period.
10. Affiliate / partner links
We cooperate with partners (e.g. motamino.de) who link to our affiliate page via a banner or link. Such links contain a partner identifier parameter (e.g. ?ref=motamino). When our affiliate page is opened, we count the visit only in aggregate and per partner, in order to evaluate the success of the cooperation.
This analysis is cookieless: we set no cookies and build no personal profiles. Neither your IP address nor persistent device identifiers are stored; to avoid double counting we only temporarily keep a random session identifier in your browser's sessionStorage, which is discarded when the tab is closed. We additionally measure the dwell time of this session on our website and evaluate it solely in aggregate (e.g. average dwell time per partner). On the server we store only aggregate counters and duration values per partner – no identifiers that persist beyond the session or across websites.
The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in evaluating and settling partner cooperations). Which data the partner processes on its own site is governed by that partner's privacy policy.
11. Online shop and payment processing
In our theme shop you can purchase digital products. For payment processing we use Stripe (Stripe Payments Europe, Ltd., Ireland, or Stripe, Inc., USA). At checkout you are redirected to Stripe's payment page; Stripe processes the payment and any billing data under its own responsibility. We receive from Stripe the information necessary to fulfil the order (e.g. email address, purchased products, payment status, amount).
The legal basis is Art. 6 (1) (b) GDPR (performance of a contract). Stripe is certified under the EU-US Data Privacy Framework. We store order data to fulfil the order and to comply with tax and commercial retention obligations.
As part of the order we also store the explicit consent you give during checkout that we begin providing the download before the end of the withdrawal period, together with your confirmation that your right of withdrawal thereby lapses – each with a timestamp, in order to evidence the proper conclusion of the contract (Art. 6 (1) (c) GDPR in conjunction with § 312f BGB). Order data is retained in line with statutory retention obligations, in particular under tax and commercial law (up to 10 years).
12. Audience measurement (cookieless)
To improve our offering we collect aggregated, anonymous usage statistics with Cloudflare Web Analytics. This solution is cookieless, sets no cookies and creates no cross-device identifiers; no personal profiles are formed. It records, in aggregated form, e.g. pages viewed, referrer, approximate origin (country) and browser/device type.
The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in designing our website to meet demand). As no information that is not strictly necessary is stored on or read from your device, no consent is required.
We also evaluate the use of our quote configurator cookielessly and purely in aggregate: we anonymously count how often the configurator is started, the quote summary is reached and a request is submitted. No cookies are set and no IP addresses or personal or cross-device identifiers are stored – on the server only aggregated daily counters per step are created. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in improving our offering to meet demand).
In addition, we measure cookielessly and in aggregate whether visitors reached our website via an AI/answer engine (e.g. ChatGPT, Perplexity, Gemini, Copilot, Claude). For this, on page load only the referring address (referrer) or the source parameter of the called URL is evaluated and assigned to one of these services. No cookies are set and no IP addresses or personal or cross-device identifiers are stored – on the server only an aggregated daily counter per AI source is created. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in assessing the visibility of our offering in AI services).
13. Bot protection (Cloudflare Turnstile)
To protect our forms (contact form and quote configurator) from automated submissions and spam we use Cloudflare Turnstile. A script by Cloudflare checks in the background whether the input comes from a human – usually without puzzles and without tracking cookies.
In doing so, technical data (e.g. IP address, browser information) may be transmitted to Cloudflare, Inc. (USA); Cloudflare is certified under the EU-US Data Privacy Framework. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in preventing abuse and spam).
14. Consent and cookie banner
For non-essential cookies and technologies (statistics, marketing) we obtain your consent via a cookie banner. On your first visit you can freely decide whether to allow only necessary, additionally statistics and/or marketing technologies. The respective services are only loaded after your active consent.
We use Google Consent Mode v2: by default all consent-requiring storage and marketing functions are disabled (“denied”) and are only activated after your consent. The legal basis for consent-requiring cookies and technologies is your consent pursuant to § 25 (1) TDDDG and Art. 6 (1) (a) GDPR.
Your choice is stored in your browser. You can withdraw or change your consent at any time with effect for the future – via the “Cookie settings” link in the footer. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
15. Google Analytics 4 (and Google Ads)
If you consent to “Statistics”, we use Google Analytics 4 (GA4), a web analytics service of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. GA4 is only loaded after your consent; Google Tag Manager may additionally be used to manage tags.
Google Analytics 4 is used for statistical analysis of usage behaviour (e.g. pages viewed, dwell time, approximate origin). Cookies may be set and pseudonymous identifiers processed. If you also allow “Marketing”, we use Google Ads for reach measurement, conversion tracking and remarketing (retargeting) to show you relevant ads on Google services and partner sites.
The provider is Google Ireland Ltd.; data may be transferred to Google LLC (USA). Google is certified under the EU-US Data Privacy Framework; the EU Commission's Standard Contractual Clauses additionally apply. The legal basis is your consent (Art. 6 (1) (a) GDPR, § 25 (1) TDDDG), which you can withdraw at any time via “Cookie settings”. More information: https://policies.google.com/privacy.
16. Meta Pixel (Facebook & Instagram)
If you consent to “Marketing”, we use the Meta Pixel, a technology of Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, Ireland. The pixel sets cookies and makes it possible to track actions after clicking an ad or on our website (conversion measurement) and to show you relevant ads on Facebook and Instagram (remarketing/custom audiences).
In doing so, personal data may be transferred to Meta and linked to your Meta account; a transfer to Meta Platforms, Inc. (USA) is possible. Meta is certified under the EU-US Data Privacy Framework; Standard Contractual Clauses additionally apply. For the joint collection of data, a joint controllership agreement (Art. 26 GDPR) exists between us and Meta.
The legal basis is your consent (Art. 6 (1) (a) GDPR, § 25 (1) TDDDG). You can withdraw your consent at any time via “Cookie settings” and additionally object to personalised advertising in your Meta settings. More information: https://www.facebook.com/privacy/policy.