Effective Date: January 17, 2026

1. Data Controller

The data controller is:

Graham Miranda UG (haftungsbeschränkt) Hasselfelder Str. 23 38889 Blankenburg (Harz) Germany

Data Protection Contact: Email: [email protected] Phone: +49 156 78397267

Managing Director: Graham Craig Miranda Commercial Register: HRB 36794 (Amtsgericht Stendal)

2. Data Processing on This Website

2.1 General Information

When you visit our website, information of a general nature is automatically collected. This data is not personal data and is not linked to personal data without your explicit consent.

2.2 Automatically Collected Data (Server Logs)

The following data is automatically collected and stored with each access to our website:

• IP address
• Date and time of access
• Browser type and version
• Operating system
• Referrer URL (previous page)
• Filename and size of requested resources
• HTTP status code

Legal Basis: Article 6 (1) f) GDPR (legitimate interest in security and optimization of our IT infrastructure)

Retention Period: 30 days (in server logs), then automatic deletion

Purpose:

• System security and stability
• Detection of attempted attacks
• Error diagnosis and technical optimization
• Statistical analysis (aggregated, non-personal)

3. Hosting and Infrastructure

3.1 Web Hosting via Odoo Online

Our website is hosted on the Odoo Online platform (Odoo SA).

Hosting Provider: Odoo SA, Rue des Générales, 1054 El Menzah VI, Tunis, Tunisia

Data Processing by Odoo:

• Odoo is a processor (data processor) under Article 28 GDPR
• Data is processed and stored in data centers in Belgium
• Odoo is GDPR-compliant and subject to EU data protection requirements
• Odoo Privacy Policy: https://www.odoo.com/page/privacy

Data Processing Agreement (DPA): A valid DPA pursuant to Article 28 GDPR is in place with Odoo SA.

3.2 Content Delivery Network (CDN) and DNS

Cloudflare:

• Service Provider: Cloudflare Inc., San Francisco, USA
• Function: DNS resolution, DDoS protection, CDN services
• Data Processing: IP addresses, request logs
• Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Legal Basis: Article 6 (1) f) GDPR (legitimate interest in security and performance)
• Retention: According to Cloudflare policies (max. 30 days)

OVH:

• Service Provider: OVH SAS, 2 rue Kellermann, 59100 Roubaix, France
• Function: Additional infrastructure services
• Privacy Policy: https://www.ovh.com/world/support/policies/privacy_policy.xml
• Legal Basis: Article 6 (1) f) GDPR

3.3 AWS (Amazon Web Services) and AWS SES

Amazon Web Services (AWS):

• Service Provider: Amazon Web Services EMEA SARL
• Function: Cloud infrastructure, email processing via AWS SES
• Data Processing: Transaction data, email sending
• Privacy Policy: https://aws.amazon.com/privacy/
• Legal Basis: Article 6 (1) f) GDPR (legitimate interest in reliable infrastructure)

AWS SES (Email Service):

• Function: Sending transactional emails (confirmations, notifications)
• Data: Recipient address, email content
• Retention: According to AWS policies and business requirements

3.4 HostKey

HostKey:

• Service Provider: HostKey (domain hosting, DNS services)
• Function: Supporting infrastructure services
• Legal Basis: Article 6 (1) f) GDPR

4. Contact Forms and Email Communication

4.1 Contact Forms

When you submit our contact form, we collect the following personal data:

• Name
• Email address
• Phone number (optional)
• Message / Content
• IP address (automatic)
• Timestamp (date and time)

Legal Basis: Article 6 (1) a) GDPR (consent) and Article 6 (1) f) GDPR (legitimate interest in communication and customer service)

Purpose of Processing:

• Responding to your inquiry
• Contact establishment
• Customer service and support
• Business transaction

Retention Period:

• Incomplete or rejected inquiries: 6 months from receipt
• Accepted inquiries/business initiation: 8-10 years under §147 AO and §257 HGB (business correspondence)
• After conclusion of business relationship: According to statutory retention requirements

Processor: The contact form is processed and stored by Odoo.

4.2 Email Communication

When you contact us by email, the following data is processed:

• Sender email address
• Subject line
• Email content
• Attachments
• Timestamp

Legal Basis: Article 6 (1) a) GDPR (consent through sending the email)

Retention Period:

• Business-relevant emails: 8-10 years under §147 AO and §257 HGB
• Other correspondence: Up to 6 years
• Spam/unwanted emails: Deleted after reasonable time

Email Providers:

• Google/Gmail (if your email provider)
• Apple Mail (if your email provider)
• AWS SES: For outgoing transactional emails from our side

5. Analytics and Tracking

5.1 Plausible Analytics

We use Plausible Analytics to analyze website usage and visitors.

Provider: Plausible Insights OÜ, Estonia Privacy Policy: https://plausible.io/privacy

Collected Data (Anonymized):

• Page views and page impressions
• Time on page
• Most popular pages
• Referrer sources
• Device type and operating system
• Country/language

Important: Plausible is GDPR-compliant and deliberately collects NO personal data such as:

• No cookies
• No IP address storage
• No user IDs
• No tracking pixels

Legal Basis: Article 6 (1) f) GDPR (legitimate interest in website optimization)

No Consent Required: Plausible is cookie-free and privacy-friendly, so no prior consent is required.

5.2 Google Services (Optional)

If Google Analytics or Google Search Console are used:

Legal Basis: Article 6 (1) a) GDPR (consent via cookie banner required)

Data Recipient: Google LLC, USA Privacy Policy: https://www.google.com/intl/en/policies/privacy/

6. Payment Processing

We accept multiple payment methods:

6.1 Stripe (Credit Cards, Digital Wallets)

Service Provider: Stripe Inc., San Francisco, USA Purpose: Processing card payments and digital wallets Data Processing: Payment data, billing address Privacy Policy: https://stripe.com/privacy Legal Basis: Article 6 (1) b) GDPR (Contract)

6.2 PayPal

Service Provider: PayPal (Europe) S.à r.l. et Cie., S.C.A., Luxembourg Purpose: Processing PayPal payments Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full Legal Basis: Article 6 (1) b) GDPR (Contract)

6.3 Cryptocurrency

When paying with cryptocurrency (Bitcoin, Ethereum, etc.):

• Blockchain transactions are public
• We only store your public wallet address and transaction hash
• Your identity is not directly linked (pseudonymized)
• Legal Basis: Article 6 (1) b) GDPR (Contract)

6.4 SEPA and Bank Transfer

Purpose: Processing bank payments Data: Account holder, IBAN, payment amount Retention: 10 years under §257 HGB and §147 AO Legal Basis: Article 6 (1) b) GDPR (Contract)

Important: Payment data is encrypted during transmission and not stored longer than necessary.

7. Cookies and Local Storage

7.1 Cookie Policy

Our website uses cookies and local storage mechanisms.

Classification:

Technically Necessary Cookies (without consent):

• Session management
• CSRF protection
• Odoo function cookies (authentication)
• Language settings
• Security tokens

Marketing and Analytics Cookies (with consent required):

• Google Analytics (if enabled)
• Remarketing pixels
• Affiliate tracking

Legal Basis:

• Necessary: Article 6 (1) f) GDPR
• Optional: Article 6 (1) a) GDPR + TTDSG §25 para. 2

7.2 Cookie Banner

On your first visit to our website, a cookie banner is displayed (if implemented):

• Opt-in only for marketing: Necessary cookies are set automatically, marketing cookies only with explicit consent
• Granular control: You can enable/disable individual cookie categories
• Consent storage: Your cookie settings are stored for 12 months
• Change option: You can change your settings anytime via the cookie manager

8. Data Subject Rights (Articles 12-23 GDPR)

You have the following rights regarding your personal data:

8.1 Right to Access (Article 15 GDPR)

You have the right to know what data is stored about you and how it is processed.

Request to: [email protected]

8.2 Right to Rectification (Article 16 GDPR)

If your data is inaccurate, you can request correction.

8.3 Right to Erasure (Article 17 GDPR) – "Right to be Forgotten"

You can request deletion of your data, unless statutory retention obligations apply.

Important: Tax law retention obligations (§147 AO, §257 HGB) may prevent deletion.

8.4 Right to Restrict Processing (Article 18 GDPR)

You can request that processing of your data be restricted.

8.5 Right to Data Portability (Article 20 GDPR)

You have the right to obtain your data in a structured, machine-readable format.

8.6 Right to Object (Article 21 GDPR)

You can object to processing of your data based on legitimate interests.

8.7 Right to Notification of Data Breaches (Article 34 GDPR)

If a security breach occurs with high risk, we will notify you without undue delay.

9. Retention Periods

The following retention periods apply for different types of data (based on German tax and commercial law):

Important: After the statutory retention period expires, data is deleted or anonymized, unless there is another legal reason for continued storage.

10. Third-Country Transfers

Some services process data in countries outside the EU/EEA:

Security Measures:

• Standard Contractual Clauses (SCC) under Article 46 GDPR
• Data Protection Impact Assessments (DPIA)
• Encryption of data during transmission
• Contracts with data processors (Article 28 GDPR)

Legal Basis: Article 6 (1) f) GDPR, Article 46 GDPR

11. Data Security

We implement technical and organizational measures to protect your data:

Technical Measures:

• HTTPS encryption of all connections (TLS 1.2+)
• Firewall and intrusion detection
• Regular security updates
• Encrypted data storage (where possible)
• Secure password storage (hashing)

Organizational Measures:

• Access controls (authorized personnel only)
• Privacy training for staff
• Version control and audit trails
• Privacy by design and default (DPIA)
• Incident response plan

Security Limits: No transmission over the internet is 100% secure. We cannot guarantee absolute protection but take all appropriate measures.

12. Data Protection Contact and Complaints

12.1 Privacy Contact

For questions about data protection, contact us:

Email: [email protected] Phone: +49 156 78397267

We will respond to your inquiry within 30 days.

12.2 Complaint to Supervisory Authority

You have the right to lodge a complaint with the responsible supervisory authority:

Responsible Authority (Germany - Saxony-Anhalt):

Landesbeauftragte für Datenschutz und Informationsfreiheit Sachsen-Anhalt Leiterstraße 9 39104 Magdeburg Germany

Phone: +49 391 8104-0 Email: [email protected] Website: https://www.lfd.sachsen-anhalt.de/

Complaints can also be filed with the data protection authority in your country.

13. External Links and Third Parties

This website contains links to external websites. We are not responsible for the privacy policies of these sites. Please review the privacy policy of each external website before submitting personal data.

14. Newsletter and Marketing Communication

If you subscribe to our newsletter, we process:

• Email address
• Name
• Timestamp (subscription date)
• Open and click tracking (optional)

Legal Basis: Article 7 GDPR (Double Opt-in)

Unsubscribe: Each newsletter contains an unsubscribe link. After unsubscribing, you are immediately removed from the list and will receive no further emails.

Retention: Data is stored until you unsubscribe, then deleted.

15. Privacy Policy for Customers and B2B

For business customers (B2B) and B2G customers:

• Processed data: Contact data, contract data, invoice data
• Retention: 10 years under §257 HGB and §147 AO
• Purpose: Business transaction, invoicing, customer service
• Legal Basis: Article 6 (1) b) GDPR (Contract)

This privacy policy is not equivalent to contracts or special contract terms.

16. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in our practices, technology, or legal requirements. The latest version will be published on this website.

Last Updated: January 17, 2026