Privacy policy

1. Controller

Maximilian Meisner
Email: kontakt@rechteradar.de
Full postal address: see imprint.

2. Visiting the website (server logs)

When you visit our website, technically necessary data is processed (truncated IP address, timestamp, requested URL, user-agent). Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stability and security). Logs are automatically deleted after 14 days.

3. Compliance scan and token reports

• Domain and publicly available data of the scanned website (imprint, privacy policy, terms, footer HTML) — legal basis Art. 6 (1) (f) GDPR, legitimate interest in automated compliance information.
• Email address of the contact named in the imprint — legal basis Art. 6 (1) (f) GDPR, legitimate interest in direct business communication (B2B). You may object to further processing at any time, informally.
• Token requests (timestamp, truncated IP, user-agent) for abuse detection — legal basis Art. 6 (1) (f) GDPR. Retention: 90 days.

4. On purchase (order, account, invoice)

We process: contact details, Stripe customer identifier, payment status, invoice data. Legal basis: Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (c) GDPR (statutory retention duties, § 257 HGB, § 147 AO — 6 or 10 years).

We do not store payment data (cards, SEPA mandates). These are processed exclusively by Stripe.

5. Processors

• Stripe Payments Europe Ltd. (Ireland) — payment processing, customer portal. Own privacy policy: stripe.com/en-gb/privacy.
• Sendinblue GmbH (Brevo) (Germany/France) — transactional email delivery (compliance reports, invoices, login links). Own privacy policy: brevo.com/legal/privacypolicy.
• Hostinger International Ltd. (Lithuania) — hosting of the domain rechteradar.de. A data processing agreement under Art. 28 GDPR is in place.
• Own VPS (Hostinger, located in the EU) — application server, Postgres database. Data does not leave the EU.

6. Cookies, analytics and marketing

Technically necessary cookies (session cookie for logged-in customers and operators) are used on the basis of § 25 (2) no. 2 TDDDG; they are required for operation and do not need consent.

In addition, we use analytics and marketing services that load only after your explicit consent via our cookie notice. The legal basis is your consent (Art. 6 (1) (a) GDPR, § 25 (1) TDDDG). You may withdraw consent at any time with effect for the future via the cookie settings.

• Microsoft Clarity — Microsoft Ireland Operations Ltd. (possibly Microsoft Corporation, USA). Reach measurement and anonymised analysis of usage behaviour (e.g. click and scroll behaviour) to improve our offering. A transfer to the USA is possible; Microsoft is certified under the EU-US Data Privacy Framework. Privacy notice: privacy.microsoft.com.
• Meta Pixel and Conversions API (only within the Conformis import offering at getconformis.com) — Meta Platforms Ireland Ltd. (possibly Meta Platforms, Inc., USA). Measurement and optimisation of our advertising campaigns (conversion tracking). For the collection of data via the pixel there is joint controllership with Meta (Art. 26 GDPR). A transfer to the USA is possible (Data Privacy Framework). Privacy notice: facebook.com/privacy/policy.

7. Retention periods

• Lead data without purchase: 12 months, then deletion
• Customer data after cancellation: email anonymisation; invoices 10 years (§ 147 AO)
• Server logs: 14 days
• Token request statistics: 90 days

8. Your rights

You have the right at any time to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). Requests can be made informally to the contact address.

Right to lodge a complaint with the competent supervisory authority — list: bfdi.bund.de.

9. Withdrawal of consent

If processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.