Privacy policy

1. Controller

The controller within the meaning of Art. 4 No. 7 GDPR (DSGVO) and other data-protection provisions is:

We are not legally required to appoint a data protection officer. For any data-protection questions, please contact the controller named above directly.

2. General information on data processing

Scope of processing

As a rule, we only process personal data of our users to the extent necessary to provide a functional website together with our content and services. Processing generally takes place only with the user's consent, or in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by statutory provisions.

Legal bases

• Art. 6 (1) lit. a DSGVO — consent
• Art. 6 (1) lit. b DSGVO — performance of a contract or pre-contractual measures
• Art. 6 (1) lit. c DSGVO — compliance with a legal obligation
• Art. 6 (1) lit. f DSGVO — legitimate interests of the controller or a third party

Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject (in particular commercial and tax retention obligations, typically 6 or 10 years pursuant to § 257 HGB and § 147 AO).

3. Provision of the website & server log files

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data are collected:

• IP address of the requesting device (truncated after 7 days)
• date and time of access
• URL accessed and amount of data transferred
• message about successful retrieval (HTTP status)
• browser type and version used
• operating system of the user
• previously visited page (referrer URL), if transmitted

The data are stored in the log files of our server hosted with the German provider Strato AG (Otto-Ostrowski-Straße 7, 10249 Berlin) in Germany. Strato processes the log-file data on our behalf; a data-processing agreement (Auftragsverarbeitungsvertrag) under Art. 28 GDPR is in place. These data are not stored together with other personal data of the user.

Legal basis: Art. 6 (1) lit. f DSGVO. Our legitimate interest lies in the technically error-free delivery and optimisation of the website and in ensuring system security (attack detection, abuse prevention).

Storage period: The IP address is anonymised after no more than 7 days; the remaining log file data are deleted after no more than 30 days, unless security-relevant incidents require longer retention for evidence-preservation purposes.

4. Cookies and comparable technologies

Our website uses cookies and comparable technologies (e.g. local storage). Cookies are small text files stored on your device that contain certain information. When you first visit our website, we display a cookie banner through which you can give or refuse your consent to the use of non-necessary cookies.

Necessary cookies

Cookies that are strictly necessary to provide our services (e.g. storage of the language setting, theme preference and the cookie decision itself). These cookies are always active. The legal basis is § 25 (2) No. 2 TDDDG (German Telecommunications-Telemedia Data Protection Act) and Art. 6 (1) lit. f DSGVO.

Marketing cookies (consent required)

Cookies and pixels from the third-party providers named in sections 5 to 7 (Microsoft Clarity, Google Tag Manager, Meta Pixel). These cookies are only set if you actively consent via the cookie banner. The marketing category is preselected in the banner but can be deactivated at any time before you confirm your selection. The legal basis is § 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a DSGVO.

Withdrawal of consent

You can withdraw your consent at any time with effect for the future. Please use the “Cookie settings” link in the footer or delete the relevant cookies in your browser settings. The lawfulness of processing carried out up to the time of withdrawal remains unaffected.

5. Microsoft Clarity

On our website we use, subject to your consent, the analytics service “Microsoft Clarity”. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”).

Data processed: Microsoft Clarity creates heatmaps, session recordings and behavioural analytics (mouse paths, scroll depth, clicks). The following are processed in particular: IP address (truncated), device and browser information, time on page and interactions with the site. Inputs to form fields are masked using standardised masking mechanisms.

Purpose: Improving usability, identifying UX issues, statistical evaluation of site usage.

Legal basis: Consent pursuant to § 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a DSGVO.

Transfers to third countries: A transfer to the USA takes place. Microsoft is certified under the EU-US Data Privacy Framework; in addition, Standard Contractual Clauses pursuant to Art. 46 (2) lit. c DSGVO are in place. We point out that according to the ruling of the CJEU (judgment of 16 July 2020, C-311/18, “Schrems II”), no level of data protection comparable to that of the EU is currently guaranteed in the USA; in particular, access by US authorities cannot be entirely ruled out.

Storage period: Microsoft Clarity cookies typically have a lifetime of up to one year. Session recordings are regularly deleted by Microsoft after no more than one year.

For more information please refer to Microsoft's privacy statement at privacy.microsoft.com/de-de/privacystatement.

6. Google Tag Manager

We use the Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Google Tag Manager is purely a management interface used to integrate tags and scripts. The Tag Manager itself (which implements the tags) does not process personal data of users for its own purposes.

On our website the Google Tag Manager is loaded only after you have consented to the marketing category, and itself loads only the consent-dependent services concerned (Microsoft Clarity, Meta Pixel). When the container is loaded, your IP address and browser headers are processed for technical reasons.

Legal basis: Consent pursuant to § 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a DSGVO.

Transfers to third countries: Google also transfers data to the USA. The Standard Contractual Clauses and the EU-US Data Privacy Framework apply. More information: policies.google.com/privacy.

7. Meta Pixel (Facebook Pixel)

On our website we use, subject to your consent, the “Meta Pixel” (formerly Facebook Pixel) from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”).

Data processed: IP address, device and browser information, sub-pages visited, conversion events triggered, and, where applicable, a hashed user ID if you are logged in to Facebook/Instagram. The Meta Pixel can be used to build so-called “Custom Audiences” and “Lookalike Audiences” and to track user behaviour following exposure to an advertisement (conversion and remarketing tracking).

Purpose: Reach measurement, optimisation of our advertising on Meta platforms, and serving advertising to interested target groups.

Legal basis: Consent pursuant to § 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a DSGVO.

Joint controllership: For the collection and transmission of data to Meta we are jointly responsible together with Meta (Art. 26 DSGVO). This is based on the Controller Addendum agreed between the parties, available at facebook.com/legal/controller_addendum. Meta is solely responsible for the subsequent processing.

Transfers to third countries: A transfer to the USA takes place; the EU-US Data Privacy Framework and Standard Contractual Clauses apply. For the associated risks, see our notes in section 5.

For more information on processing by Meta, please refer to Meta's privacy policy at facebook.com/privacy/policy.

8. Contact and contact form

If you send us enquiries via the contact form or by email, the information you provide in the form (typically name, email address, phone number where applicable, company and the content of the message) will be stored by us for the purpose of processing the enquiry and for the case of follow-up questions.

Legal basis: For pre-contractual enquiries Art. 6 (1) lit. b DSGVO; otherwise our legitimate interest in the effective processing of enquiries addressed to us (Art. 6 (1) lit. f DSGVO).

Recipients: Your data are not passed on to third parties; in particular, no external processor is used for handling contact requests.

Storage period: We store your enquiry and the related correspondence until the matter has been concluded and no further follow-up questions are to be expected, but in any case no longer than until the expiry of any statutory retention periods (commercial law as a rule 6 years, tax law 10 years).

9. User account in the Skayer-Berater portal

To use our client portal at berater.skayer.de, the creation of a user account is required. As part of registration and use, we process:

• Email address (as a unique identifier and for login)
• Password — exclusively in the form of a bcrypt hash; the plain-text password is never stored
• Session cookie (HMAC-signed, validated server-side) to maintain login
• Timestamps of logins and last access

Legal basis: Art. 6 (1) lit. b DSGVO (performance of the usage relationship) and Art. 6 (1) lit. f DSGVO (legitimate interest in IT security, in particular protection against account abuse).

Storage location and processors: All account and session data are stored on a server operated by us with the German hosting provider Strato AG (Otto-Ostrowski-Straße 7, 10249 Berlin) in Germany. Data are held in a file-based store (JSON on disk). A data-processing agreement (Auftragsverarbeitungsvertrag) under Art. 28 GDPR is in place with Strato. No external providers such as Supabase, Firebase, Auth0 or comparable identity providers are used; data are not passed on to third parties.

Storage period: Account data are stored for the duration of portal use. If you request account deletion, personal data are deleted without undue delay, unless statutory retention obligations prevent this (in which case processing will be restricted). Inactive accounts are automatically deleted after 36 months without login.

10. Your rights as a data subject

If personal data about you are processed, you are a data subject within the meaning of the DSGVO and you have the following rights vis-à-vis the controller:

• Right of access (Art. 15 DSGVO)
• Right to rectification (Art. 16 DSGVO)
• Right to erasure (Art. 17 DSGVO)
• Right to restriction of processing (Art. 18 DSGVO)
• Right to data portability (Art. 20 DSGVO)
• Right to object to processing (Art. 21 DSGVO)
• Right to withdraw consent with effect for the future (Art. 7 (3) DSGVO)
• Right to lodge a complaint with a data protection supervisory authority (Art. 77 DSGVO)

To exercise these rights, please contact us informally at info@skayer.de.

Competent supervisory authority

Our competent supervisory authority within the meaning of Art. 77 DSGVO is:

11. SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the change in the browser's address bar from “http://” to “https://” and by the lock icon in the browser bar. When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

12. Currency and changes to this policy

This privacy policy is currently in force. As our website and offering continue to develop, or due to changing legal or regulatory requirements, it may become necessary to amend this privacy policy. The most current version is always available on this page.