Privacy Policy

1. Data protection at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit this website. “Personal data” means all data that can be used to identify you personally. Detailed information can be found in the full privacy policy below.

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. The operator’s contact details can be found in the section “Controller” below.

How do we collect your data?

  • Data you provide: For example, data you enter in a contact form.
  • Data collected automatically or with your consent: Technical data (e.g., browser, operating system, time of access) is collected automatically when you visit the site. This happens as soon as you enter the website.

What do we use your data for?

Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze user behavior. Where contracts can be concluded or initiated via the website, transmitted data is also processed for offers, orders or other requests.

What rights do you have?

You have the right at any time to receive free information about the origin, recipients and purpose of your stored personal data. You also have the right to request rectification or deletion of this data. If you have given consent, you can withdraw it at any time with future effect. You further have the right, under certain circumstances, to request restriction of processing and the right to lodge a complaint with the competent supervisory authority. You can contact us at any time regarding these and other questions.

Analytics and third-party tools

Your browsing behavior may be statistically evaluated when you visit this website, primarily with analytics tools. Details are provided below.

2. Hosting and Content Delivery Networks (CDN)

Webflow

Provider: Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA.
When you visit our website, Webflow records various log files including IP addresses. Webflow is a tool for building and hosting websites. Webflow stores cookies or similar technologies that are necessary for displaying the site, providing certain functions and ensuring security (necessary cookies).
Details: Webflow Privacy Policy: https://webflow.com/legal/eu-privacy-policy.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable presentation). Where consent is requested, processing is based on Art. 6(1)(a) GDPR and § 25(1) TDDDG (German Telecommunications Digital Services Data Protection Act). Consent can be withdrawn at any time.
Data transfers to the USA rely on EU Standard Contractual Clauses. Webflow is certified under the EU-US Data Privacy Framework (DPF): https://www.dataprivacyframework.gov/participant/6365.

Cloudflare

Provider: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.
Cloudflare provides a global CDN and DNS. It routes traffic between your browser and our website and can act as a filter against malicious traffic. Cloudflare may use cookies or similar technologies solely for the purposes described.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, error-free service).
Transfers to the USA rely on EU Standard Contractual Clauses. Privacy: https://www.cloudflare.com/privacypolicy/.
Cloudflare is certified under the DPF: https://www.dataprivacyframework.gov/participant/5666.
We have a Data Processing Agreement (DPA) in place.

Amazon CloudFront CDN

Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg.
CloudFront is a global CDN that routes traffic via its network to increase availability and performance.
Legal basis: Art. 6(1)(f) GDPR.
Transfers to the USA rely on EU Standard Contractual Clauses. Details: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.
Privacy notice: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.
AWS is certified under the DPF: https://www.dataprivacyframework.gov/participant/5776.
We have a DPA in place.

Bunny.net CDN

Provider: BunnyWay d.o.o., Dunajska cesta 165, 1000 Ljubljana, Slovenia.
Global CDN to improve reach and performance. The CDN records IP addresses (which are anonymized) and processes personal data you actively provide (e.g., via contact forms).
Legal basis: Art. 6(1)(f) GDPR.
Privacy: https://bunny.net/privacy/.
We have a DPA in place.

3. General information and mandatory disclosures

Data protection

We take the protection of your personal data seriously and process it in accordance with statutory data protection regulations and this policy. Note that data transmission over the internet (e.g., email communication) can have security gaps.

Controller

Designbase GmbH
Inninger Str. 11a
82237 Wörthsee
Phone: +49 (0)89 954 571 610
Email: hello@designbase.studio

The controller is the natural or legal person who decides on the purposes and means of processing personal data.

Storage period

Unless a more specific period is stated here, personal data remains with us until the purpose no longer applies. If you assert a justified deletion request or withdraw consent, your data will be deleted unless there are other legally permissible reasons for storage (e.g., tax or commercial retention obligations).

Legal bases for processing

Depending on the situation, we process your data on the basis of:

  • Consent: Art. 6(1)(a) GDPR (and Art. 9(2)(a) GDPR for special categories of data), and, where applicable, § 25(1) TDDDG for storing/reading information on your device.
  • Contract: Art. 6(1)(b) GDPR.
  • Legal obligation: Art. 6(1)(c) GDPR.
  • Legitimate interests: Art. 6(1)(f) GDPR.
    If we transfer data to third countries with your explicit consent, Art. 49(1)(a) GDPR applies.

Recipients of personal data

We work with various external parties. We only share personal data if required to fulfill a contract, if we are legally obliged, if we have a legitimate interest, or if another legal basis permits it. For processors, we conclude DPAs; for joint controllers, we conclude joint-controller agreements.

Withdrawal of consent

You can withdraw consent at any time with future effect. The lawfulness of processing prior to withdrawal remains unaffected.

Right to object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR, including profiling. We will then no longer process your data unless we demonstrate compelling legitimate grounds or the processing serves the establishment, exercise or defense of legal claims.
If your data is processed for direct marketing, you can object at any time; we will then no longer use your data for this purpose.

Complaint to a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in your habitual residence, place of work or the place of the alleged infringement.

Data portability

You have the right to receive data that we process on the basis of consent or contract in a commonly used, machine-readable format, or to have it transmitted to another controller where technically feasible.

Access, rectification, deletion

You have the right to free information about your stored personal data, its origin and recipients, the purpose of processing, and—where applicable—the right to rectification or deletion.

Restriction of processing

You may request restriction of processing if:

  • you contest the accuracy of the data (for the time needed to verify it);
  • processing is unlawful and you oppose deletion;
  • we no longer need the data but you need it for legal claims;
  • you have objected under Art. 21(1) GDPR and the balance of interests is pending.
    If processing is restricted, such data will—apart from storage—only be processed with your consent or for legal claims, protecting others’ rights, or important public interests.

SSL/TLS encryption

For security and to protect confidential transmissions, this site uses SSL/TLS encryption. You can recognize an encrypted connection by “https://” and the lock icon in your browser.

4. Data collection on this website

Cookies

We use cookies (session and persistent; first-party and third-party). Necessary cookies are stored on the basis of Art. 6(1)(f) GDPR. Where consent for cookies or similar technologies (e.g., device fingerprinting) is requested, processing is based on Art. 6(1)(a) GDPR and § 25(1) TDDDG. You can configure your browser to be informed about cookies, allow them only in individual cases, exclude them, or delete them automatically on browser close. Disabling cookies may limit website functionality. Specific cookies and services used are listed in this policy.

Consent with Finsweet Cookie Consent

We use Finsweet Cookie Consent to obtain and document your cookie/technology consents. Provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (“Cookiebot”). When you enter our site, a connection to Finsweet is established to record your consent(s). Cookiebot then stores a cookie in your browser to assign consents and withdrawals. Data is stored until you ask us to delete it, delete the Cookiebot cookie yourself, or the storage purpose no longer applies. Legal basis: Art. 6(1)(c) GDPR (legal obligation to obtain/document consent).

Server log files

The provider automatically collects and stores information your browser transmits:

  • browser type and version; operating system; referrer URL; host name; time of server request; IP address.
    These data are not merged with other data sources. Legal basis: Art. 6(1)(f) GDPR.

Contact form

If you send inquiries via contact form, the information you provide—including contact details—is stored for processing and follow-up. We do not share this data without consent. Legal basis: Art. 6(1)(b) GDPR (contract/pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in effective handling of inquiries) or Art. 6(1)(a) GDPR where consent is required. Data remain with us until you request deletion, withdraw consent, or the purpose no longer applies, subject to statutory retention.

Requests by email, phone or fax

If you contact us by these means, your inquiry including personal data (name, request) will be stored and processed for handling. We do not pass it on without consent. Legal bases as above (Art. 6(1)(b), (f) or (a) GDPR). Retention as above.

Cal.com (appointment booking)

We provide the option to book appointments via Cal.com. Provider: Cal.com, Inc. (see privacy: https://cal.com/privacy). For booking, you enter the requested data and preferred time. The data are used for planning, performing and, where applicable, follow-up of the appointment and are stored on Cal.com’s servers. Data remain until you request deletion, withdraw consent, or the purpose no longer applies; statutory retention remains unaffected.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in simple appointment scheduling). Where consent is requested, Art. 6(1)(a) GDPR and § 25(1) TDDDG apply. Transfers to third countries may rely on EU Standard Contractual Clauses.

5. Analytics and advertising

Google Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The Tag Manager enables us to integrate/manage tools. It does not create user profiles or store cookies, but it records your IP address, which may be transferred to the US parent company.
Legal basis: Art. 6(1)(f) GDPR; where consent is requested, Art. 6(1)(a) GDPR and § 25(1) TDDDG.
DPF certification info: https://www.dataprivacyframework.gov/participant/5780.

Plausible Analytics

Provider: Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia.
We analyze website use (page URL, HTTP request/referrer, browser, OS, device type, IP address). HTTP request and IP are stored as a hash for 24 hours to recognize returning visits within that period; identification of a person is not possible.
Legal basis: with consent, Art. 6(1)(a) GDPR and § 25 TDDDG; otherwise Art. 6(1)(f) GDPR (legitimate interest in meaningful analytics).
We have a DPA in place.

6. Plugins and tools

YouTube with enhanced privacy mode

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
When you visit a page with embedded YouTube content, a connection to YouTube servers is established. If you are logged in to YouTube, your behavior can be associated with your profile. We use enhanced privacy mode. According to YouTube, videos played in this mode are not used to personalize browsing on YouTube and ads are not personalized; no cookies are set, but local storage elements may be used. Details: https://support.google.com/youtube/answer/171780. Further processing after activation may occur beyond our control.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in appealing presentation); where consent is requested, Art. 6(1)(a) GDPR and § 25(1) TDDDG.
Privacy: https://policies.google.com/privacy?hl=de.
DPF certification info: https://www.dataprivacyframework.gov/participant/5780.

7. Audio and video conferencing

Data processing

We use online conferencing tools to communicate with customers. The tools process data you provide (email address/phone number), metadata (duration, start/end time, number of participants), technical data (IP/MAC addresses, device IDs/type, OS type/version, client version, camera/microphone/speakers, connection type), and any content shared (recordings, chats, voicemails, files, whiteboards, etc.). Our influence on the providers’ own processing is limited; please refer to their privacy notices.

Purpose and legal bases

Communication with prospective and existing contracting parties or for providing services: Art. 6(1)(b) GDPR. Otherwise to simplify and accelerate communications: Art. 6(1)(f) GDPR. Where consent is requested, processing is based on consent (withdrawable at any time).

Storage period

Data collected directly via the tools are deleted from our systems when you request deletion, withdraw consent or the purpose no longer applies. Cookies remain on your device until deleted. Statutory retention remains unaffected. We have no influence on providers’ own retention; please consult their policies.

Tools used: Google Meet

Provider: Google Ireland Limited. Privacy: https://policies.google.com/privacy.
DPF certification info: https://www.dataprivacyframework.gov/participant/5780.
We have a DPA in place.

Last updated: [10/2025]

Note: Where this English version is provided for convenience, the German version may prevail in case of doubt.