Skip to content

 

Privacy Policy

 

This Privacy Policy informs you about the nature, scope and purpose of our processing of personal data (hereinafter “data”) within our online offering and its associated websites, functions and content, as well as external online presences such as our social-media profiles (collectively referred to as the “online offering”). For the terminology used—e.g. “personal data” or “processing”—please refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller

Dr. Christoph Gummersbach
Webfield Consulting Dr Gummersbach
Schiffgasse 3
69151 Neckargemünd
Germany

Types of Data Processed

Inventory data (e.g. names, addresses)

Contact data (e.g. e-mail addresses, telephone numbers)

Usage data (e.g. pages visited, interest in content, access times)

Meta / communication data (e.g. device information, IP addresses)

Processing of Special Categories of Data (Art. 9 (1) GDPR)

No special categories of data are processed.

Categories of Data Subjects

Customers / prospects / suppliers

Visitors and users of the online offering

Hereinafter we refer to data subjects collectively as “users.”

Purpose of Processing

Provision of the online offering, its content and functions

Responding to contact requests and communicating with users

Marketing, advertising and market research

Security measures

Applicable Legal Bases

Pursuant to Art. 13 GDPR, we inform you of the legal bases for our data processing:

Purpose    Legal basis
Obtaining consent    Art. 6 (1) (a) and Art. 7 GDPR
Performance of our services and contractual measures; answering enquiries    Art. 6 (1) (b) GDPR
Compliance with legal obligations    Art. 6 (1) (c) GDPR
Safeguarding our legitimate interests    Art. 6 (1) (f) GDPR

Changes and Updates to this Privacy Policy

Please review this Privacy Policy regularly. We will adapt it whenever changes in our data-processing activities make this necessary. We will notify you if specific cooperation on your part (e.g. renewed consent) or another individual notification becomes required.

Security Measures

In accordance with Art. 32 GDPR, and considering the state of the art, implementation costs and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and digital access to the data, input, disclosure, ensuring data availability and separation. We also maintain procedures to enable data-subject rights, data deletion and responses to data-threat incidents. Furthermore, we take data protection into account during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).


Cooperation with Processors and Third Parties

If, in the course of our processing, we disclose data to other persons or companies (processors or third parties), transmit it to them or otherwise grant them access, this is done only on the basis of a legal permission (e.g. if transmission of the data to third parties—such as payment service providers—is necessary for contract fulfilment under Art. 6 (1) (b) GDPR), if you have provided consent, if a legal obligation so provides or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). Where we commission third parties to process data on the basis of a so-called “processing contract,” this is done in accordance with Art. 28 GDPR.

Transfers to Third Countries

If we process data in a third country (i.e. outside the EU or EEA) or this occurs in the context of using third-party services or disclosing or transferring data to third parties, it is done only to fulfil our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or permit the processing of data in a third country only under the special conditions of Art. 44 ff. GDPR. Processing takes place, for example, on the basis of special guarantees such as the officially recognised determination of a level of data protection equivalent to that of the EU (e.g. for the USA via the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

Rights of Data Subjects

Right of access (Art. 15 GDPR): You have the right to obtain confirmation of whether data concerning you is being processed, information about this data, further information and a copy of the data.

Right to rectification (Art. 16 GDPR): You have the right to request completion or correction of inaccurate data concerning you.

Right to erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR): You may request that data be deleted immediately or, alternatively, processing be restricted.

Right to data portability (Art. 20 GDPR): You have the right to receive data you have provided to us and to transmit it to another controller.

Right to lodge a complaint (Art. 77 GDPR): You may lodge a complaint with the competent supervisory authority.

Right of Withdrawal
You have the right to withdraw consents granted under Art. 7 (3) GDPR with future effect.

Right to Object
You may object at any time to the future processing of data concerning you in accordance with Art. 21 GDPR, particularly to processing for direct-marketing purposes.

Cookies and Right to Object to Direct Marketing

We use temporary and permanent cookies—small files stored on users’ devices (for an explanation, see the last section of this Privacy Policy). Some cookies are required for security or operational reasons (e.g. display of the website or storing the user’s decision in the cookie banner). We and our technology partners also use cookies for reach-measurement and marketing purposes; users are informed about this below.

You can declare a general objection to cookies used for online-marketing purposes—especially tracking—via the website Your Online Choices. You can also disable cookies in your browser settings; however, some functions of this online offering may then be unavailable.

Deletion of Data

Data processed by us is deleted or restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated otherwise in this Privacy Policy, stored data is deleted as soon as it is no longer required for its purpose and deletion does not conflict with legal retention obligations. If data is not deleted because it is required for other and legally permissible purposes, its processing is restricted (i.e. the data is blocked and not processed for other purposes).

Legal retention is especially six years under § 257 (1) HGB (e.g. trading books, inventories, opening balances, annual financial statements, business letters) and ten years under § 147 (1) AO (e.g. books, records, management reports, accounting vouchers, commercial and business letters, documents relevant to taxation).

Contacting Us

When contacting us (e.g. via contact form or e-mail), user details are processed to handle and respond to the enquiry in accordance with Art. 6 (1) (b) GDPR.

Collection of Access Data and Log Files

On the basis of our legitimate interests under Art. 6 (1) (f) GDPR, we collect data on each access to the server hosting this service (server log files). Access data includes: name of the accessed web page, file, date and time, data volume transferred, confirmation of successful retrieval, browser type and version, user operating system, referrer URL, IP address and requesting provider.
Log-file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of seven days and then deleted, unless further retention is required for evidentiary purposes.

Online Presences in Social Media

We maintain online presences within social networks and platforms to communicate with active customers, prospects and users and to inform them about our services. The terms and data-processing policies of the respective operators apply when you access these networks. Unless stated otherwise in this Privacy Policy, we process users’ data when they communicate with us within social networks (e.g. by posting on our profiles or sending messages).

Cookies

Cookies are pieces of information stored by our web server or third-party web servers in users’ browsers for later retrieval. Cookies may be small files or other types of information storage.

Users are informed about the use of cookies for pseudonymous reach-measurement within this Privacy Policy. If users do not wish cookies to be stored on their device, they can disable the relevant option in their browser settings. Stored cookies can be deleted in the browser settings. Disabling cookies may limit the functionality of this online offering.

You can object to cookies used for reach-measurement and advertising purposes via the Network Advertising Initiative deactivation page or the website Your Online Choices.


Google Services

We use Google Tag Manager (GTM) (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043, USA) to load and manage marketing, analytics and functional scripts from a single interface. GTM itself does not set cookies or store personal data; it merely activates other tags, which are described separately in this policy. To keep the service reliable, Google collects only aggregated diagnostics about tag firing, excludes IP addresses or user identifiers, and deletes the associated HTTP-request logs within 14 days. Data may be processed on Google servers in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework and additionally relies on Standard Contractual Clauses to safeguard cross-border transfers. The use of GTM is based on our legitimate interest in the efficient, secure administration of website technologies (Art. 6 (1)(f) GDPR). GTM honours any consent preferences you set in our cookie banner; if you opt out of a tag category (e.g. analytics or marketing), the corresponding scripts will not be fired. You can also block GTM entirely by disabling JavaScript in your browser, though some site functions may then be unavailable.

We use Google Ads Remarketing (provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043, USA) to show ads to people who have previously visited our site and may still be interested in our services. When you access our pages, the Google tag stores first-party and DoubleClick cookies such as “IDE”, “ANID” or “NID” (lifespan ≤ 13 months in the EEA) that contain a pseudonymous ID; Google reads or writes these cookies on partner sites to recognise your browser, record which pages you viewed and display relevant ads across the Google Display Network and YouTube. The processing occurs only if you consent to marketing cookies in our banner (Art. 6 (1)(a) GDPR). We also rely on our legitimate interest in efficient, interest-based advertising (Art. 6 (1)(f) GDPR). Google may combine cookie-derived data with information from your Google account when you are signed in and have allowed ad personalisation; you can disable such personalisation at any time in My Ad Center / Ads Settings or withdraw consent via our cookie settings. Data may be processed on servers in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework and additionally applies Standard Contractual Clauses to ensure an adequate level of protection for cross-border transfers. 

We use Google Ads Conversion Tracking (provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043, USA) to gauge how effective our online advertising is. When you arrive on our site via a Google ad, the Google tag (gtag.js) stores a first-party cookie in the “gcl” family that keeps a unique Google Click ID (GCLID) so later actions—such as form submissions—can be linked back to the originating campaign. The tag fires only if you have given marketing-cookie consent: we have implemented Google Consent Mode v2, which has been mandatory for conversion tracking in the EEA since March 2024 and ensures that all Google tags respect your consent preferences. Collected data (including the hashed click ID, IP-derived location, browser information and the fact that a conversion occurred) is transmitted to Google servers, some of which are located in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework and additionally relies on Standard Contractual Clauses to guarantee an adequate level of protection for cross-border transfers. Processing is based on your consent under Art. 6 (1)(a) GDPR and on our legitimate interest in measuring and optimising our advertising under Art. 6 (1)(f) GDPR. 

We employ Google Ads Enhanced Conversions for Web (ECW) (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043, USA) to improve the accuracy of our ad-conversion measurement. When you complete a form on our website, first-party details you enter—such as e-mail address or name—are captured by the Google tag, hashed in your browser with the SHA-256 algorithm and transmitted in this pseudonymised form to Google, where they are matched against Google accounts to attribute conversions from ad clicks without revealing the clear data to Google. Processing takes place only with your consent to marketing cookies (Art. 6 (1)(a) GDPR) and on our legitimate interest in reliable campaign statistics (Art. 6 (1)(f) GDPR). Data may be processed on servers in the United States; Google LLC is certified under the EU-U.S. Data Privacy Framework and additionally relies on Standard Contractual Clauses to ensure an adequate level of protection for cross-border transfers. 

We use Google Ads Enhanced Conversions for Leads (ECL) (provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent: Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043, USA) to improve attribution of offline outcomes (e.g., sales calls or contracts) back to the Google Ads campaigns that generated the original website lead. When you submit a lead form on our site, selected first-party details you provide (such as e-mail address or name) are captured by the Google tag, hashed using SHA-256, and sent to Google; when we later import lead outcomes, this pseudonymised data is used to match to prior ad interactions and signed-in Google accounts for more accurate conversion measurement. Processing takes place only with your consent to marketing/measurement (Art. 6(1)(a) GDPR) and, where applicable, on our legitimate interest in reliable campaign analytics (Art. 6(1)(f) GDPR). Data may be processed on servers in the United States; for such transfers, Google relies on the EU-U.S. Data Privacy Framework and related mechanisms.

We employ Google Analytics 4 (GA4) (provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043, USA) to analyse how visitors use our site and to help us improve content, performance and marketing. GA4 works with first-party cookies (e.g. _ga) and similar technologies to record information such as the pages you view, the time spent on each page, the links you click, your approximate location (country/region), device and browser details and a randomly generated client identifier. IP addresses are not stored: for users in the EU the IP is used solely for geolocation and is deleted before logging, and GA4 never writes full IP addresses to disk. Google processes this usage data on our behalf under a Data-Processing Agreement and acts as a data processor within the meaning of Art. 28 GDPR; we remain the data controller and can delete or export all data at any time via the GA4 interface. Data may be transferred to Google servers in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework and additionally relies on Standard Contractual Clauses to guarantee an adequate level of protection for cross-border transfers. Processing is carried out only with your consent to analytics cookies in accordance with Art. 6 (1)(a) GDPR. We have implemented Google Consent Mode v2, mandatory in the EEA since March 2024, so the Analytics tag fires only if you grant the relevant consent signal; otherwise GA4 receives no cookie-based identifiers and models traffic in aggregate. We retain event-level data for 14 months, after which it is automatically deleted. 

Further information on Google’s data-use for marketing can be found at Privacy & Terms - Advertising; Google’s Privacy Policy is available at Privacy & Terms. To opt out of interest-based advertising by Google Marketing Services, use the Google settings and opt-out options at My Ad Centre - Ads that you can control.

Microsoft Services

We use Microsoft Advertising Universal Event Tracking (UET) (provider: Microsoft Ireland Operations Limited, Dublin; parent company: Microsoft Corporation, Redmond, WA, USA) to measure conversions and build remarketing audiences for our ads on the Microsoft network. When the UET tag is loaded on our pages, Microsoft receives information about your visit (e.g., page views and events) together with technical data such as your IP address and a Microsoft advertising identifier; Microsoft retains UET data for up to 390 days and the Microsoft advertising cookie for up to 13 months. UET may set first-party cookies including _uetsid (≈1 day), _uetvid (≈13 months), and—if auto-tagging is enabled—_uetmsclkid (stores the Microsoft Click ID “MSCLKID”, up to 90 days) to link ad clicks with later actions. We run UET only with your consent to marketing/measurement cookies (Art. 6 (1)(a) GDPR) and, where applicable, based on our legitimate interest in campaign analytics (Art. 6 (1)(f) GDPR). We have enabled Microsoft Consent Mode so the tag adjusts to your choices in our cookie banner. Data may be processed on servers outside the EU (e.g., the United States); Microsoft states that its U.S. entities participate in the EU-U.S. Data Privacy Framework and apply appropriate safeguards for such transfers.

We use Microsoft Clarity (provider: Microsoft Ireland Operations Limited, Dublin, Ireland; parent company: Microsoft Corporation, Redmond, WA, USA) to analyse usage of our website via session replays and heatmaps so we can find bugs and improve usability. Clarity places first-party cookies such as _clck and _clsk (and related identifiers like CLID/MUID/ANONCHK) to recognise returning browsers and group page views into sessions. The tag captures technical and interaction data (e.g., page URLs, referrers, clicks, scrolls, approximate location derived from the request, device/browser information), while sensitive content is masked by default and never uploaded; additional masking rules can be configured by us. Recordings are retained for 30 days (or up to 13 months if a session is labelled/favorited); heatmap and aggregated analytics data are retained for 13 months and then deleted. For EEA customers, the contracting entity is Microsoft Ireland Operations Limited; Clarity data is processed in U.S. data centers, with cross-border transfers safeguarded by the EU-U.S. Data Privacy Framework and SCCs between Microsoft affiliates. Microsoft states it acts as an independent data controller for Clarity telemetry, and we rely on your consent to analytics cookies (Art. 6 (1)(a) GDPR) before Clarity runs.

For more details, see Microsoft’s Privacy Statement https://www.microsoft.com/en-gb/privacy/privacystatement.

 

LinkedIn Services

We use the LinkedIn Insight Tag (provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; parent company: LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA) to measure conversions, build website audiences and obtain campaign reach insights. When you visit our site, the tag may record information such as the URL and referrer, your device and browser (user-agent), IP address and timestamp; LinkedIn removes direct identifiers within 7 days and deletes the remaining pseudonymized data within 180 days. If enhanced conversion tracking / first-party cookies are enabled, a LinkedIn click ID (e.g., li_fat_id) may be appended to ad landing-page URLs and stored as a first-party cookie to improve attribution; the tag can also capture limited “Website Actions” events (e.g., page views, button clicks, form submissions). Processing takes place only with your consent to marketing/measurement cookies (Art. 6 (1)(a) GDPR). Data may be transferred to the United States; LinkedIn states it relies on the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses for such transfers.

For details, see LinkedIn's Help page https://www.linkedin.com/help/linkedin/answer/a7155497 and Privacy Policy https://www.linkedin.com/legal/privacy-policy.

 

Meta Services

We use the Meta Pixel (provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; parent company: Meta Platforms, Inc., USA) to measure conversions, create website Custom Audiences and optimise our ads on Facebook and Instagram. The Pixel records events (e.g. page views, leads, purchases) and may store/read first-party cookies such as _fbp (browser identifier, lifespan ≈ 90 days) and—when a Meta ad click parameter fbclid is present—_fbc (stores the click ID, lifespan ≈ 90 days) for attribution. If enabled, advanced matching can send selected first-party details you provide (e.g. email) hashed with SHA-256 from your browser to improve match quality; the clear text is not transmitted. We run the Meta Pixel only with your consent to marketing/measurement cookies (Art. 6 (1)(a) GDPR) and rely on our legitimate interest in advertising performance (Art. 6 (1)(f) GDPR). Data may be processed on servers outside the EEA (e.g. the United States); Meta Platforms, Inc. is certified under the EU-U.S. Data Privacy Framework, and Meta also uses additional transfer safeguards. 

For details, see Meta Privacy Policy https://www.facebook.com/privacy/policy/

 

X Services

We use the X Pixel — consisting of the Base code and Event code (previously known as the Twitter Base Pixel and Twitter Event Pixel) — to measure conversions, build remarketing audiences, and understand the effectiveness of our campaigns. When the pixel loads, it can record data such as the page URL/referrer, device and browser information, IP address, and timestamps; it also uses the X click ID (twclid), which is appended to ad landing-page URLs and may be read from a first-party cookie if this option is enabled in Events Manager, to attribute site actions to ad interactions. Cookies and information collected via cookies are generally retained for up to 13 months (and ad-interaction data for up to 12 months). The service is provided by X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (parent company: X Corp., Bastrop, TX, USA). Processing takes place only with your consent to marketing/measurement cookies (Art. 6 (1)(a) GDPR) and, where applicable, based on our legitimate interests in campaign analytics and reach measurement (Art. 6 (1)(f) GDPR). Data may be transferred outside the EEA (e.g., to the USA); X participates in the EU-U.S. Data Privacy Framework and also references Standard Contractual Clauses for such transfers.

For details, see X's Privacy Policy https://x.com/en/privacy

 

HubSpot Services

We use the CRM and marketing‑automation platform HubSpot (provider: HubSpot, Inc., 2 Canal Park, Cambridge MA 02141, USA; EU representative: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin) to manage contact forms, send newsletters, analyse website interactions and provide downloadable content.

In doing so, HubSpot stores cookies on your device and processes data such as IP address, geographic location, browser/OS information, pages visited, referrer URLs, usage times and any details you actively submit (e‑mail address, name, company, etc.). Data is held on HubSpot servers in the United States. To safeguard transfers, HubSpot relies on the EU‑U.S. Data Privacy Framework and Standard Contractual Clauses approved by the European Commission.

The processing is based on your consent under Art. 6 (1)(a) GDPR (e.g. when you accept marketing cookies or subscribe to our mailings) and on our legitimate interest in efficient customer communication and marketing pursuant to Art. 6 (1)(f) GDPR. You can withdraw consent at any time via our cookie settings or the unsubscribe link in every e‑mail.

For details, see HubSpot’s Privacy Policy at https://legal.hubspot.com/privacy-policy.

 

Newsletter

The following notes inform you about the contents of our newsletter, the sign-up, dispatch and statistical-evaluation procedures and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.

Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information (“newsletter”) only with the recipients’ consent or legal permission. If the newsletter’s content is specifically described during sign-up, it is decisive for your consent.

Double-opt-in and logging: Sign-up for our newsletter occurs via a double-opt-in procedure. After registering, you receive an e-mail asking you to confirm your registration. This confirmation is necessary so no one can sign up with someone else’s e-mail address. Sign-ups are logged to prove the registration process in accordance with legal requirements (recording sign-up and confirmation times and IP address). Changes to your data stored by the mailing service provider are also logged.

Required data: Only your e-mail address is needed to sign up.

Legal basis for dispatch and performance measurement: Art. 6 (1) (a) and Art. 7 GDPR in conjunction with § 7 (2) no. 3 UWG, or § 7 (3) UWG for existing customers. Logging is based on our legitimate interests under Art. 6 (1) (f) GDPR.

Termination / withdrawal: You can cancel our newsletter at any time—i.e. withdraw your consent. A link to cancel is included at the end of every newsletter. If you have signed up only for the newsletter, your personal data will be deleted after cancellation.

Last updated: 2025-08-04