Privacy Policy

 

Introduction

 

General Information

Any processing of your data should be understandable and transparent to you. For this reason, we provide you with an overview of all the essential circumstances concerning the processing of your data.

We have created this information with the goal of being as clear as possible. If you still have questions, please contact us.

This also applies to any other questions you may have regarding the processing of your data. You can read all the laws and regulations referenced in this information for free at https://www.gesetze-im-internet.de/.

 

What does “data processing” mean?

This website processes your personal data. Data is considered personal if it can be directly or indirectly attributed to you in a way that allows you to be identified. Data processing refers to all operations involving your personal data, from storage and use to deletion. You can find the exact definitions in Art. 4, Numbers 1 and 2 of the GDPR.

 

Analysis tools and third-party tools

When you visit our website, your browser behavior can be statistically analyzed with your consent. This is primarily done with cookies and so-called analysis programs. You can find details on this in the following sections.

 

Definitions

This privacy policy uses some technical terms that you may not be familiar with. We would like to explain them here:

• GDPR: The GDPR is the European General Data Protection Regulation, which forms the legal basis for data protection throughout the European Union (EU). It is based on the fact that every citizen in the EU has a fundamental right to the protection of their data (Art. 8 CFR).
• IP address or IP number: This refers to the technical address assigned to the device you are using to access the internet. An IP address is therefore considered personal data.
• Cookies: See the section “Cookies (general explanation).”
• Tool: A “tool” is a computer program that provides additional functions for our website.
• Social Media: Social media is the general term for media where internet users exchange opinions, impressions, experiences, or information and gather knowledge.
• Newsletter: See the section “Newsletter (general explanation).”

 

Data Processing

Privacy Policy – Version from 01.01.2026

 

How can you contact the data controller?

The person responsible for processing your data is:

Jorge Sánchez
Kapstone Solutions GmbH
Rennbahn Str. 42
81929 Munich
Germany

Phone: +49 (0) 162 2073300
Email: jorge.sanchez@kapstone.solutions

 

As the data controller, we determine the means and purpose of processing your data and are therefore accountable to you for it (Art. 5 para. 2 GDPR). You can contact us at any time if you have questions about the processing of your data.

 

Social Media 

 

Instagram

Functions of Instagram are integrated into this website. These functions are offered by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When the social media element is active, a direct connection is established between your device and the Instagram server. This gives Instagram information about your visit to this website.

If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to this website with your user account. We point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Instagram.

If consent has been obtained, the aforementioned service is used on the basis of Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. Consent can be withdrawn at any time. If consent has not been obtained, the service is used on the basis of our legitimate interest in the broadest possible visibility on social media.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook or Instagram, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook or Instagram. The processing carried out by Facebook or Instagram after the transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can find the wording of the agreement at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information when using the Instagram tool and for the data protection-compliant implementation of the tool on our website. Meta is responsible for the data security of the Instagram products. 

Data subject rights (e.g., requests for information) regarding the data processed by Instagram can be asserted directly with Meta. If you assert the data subject rights with us, we are obliged to forward them to Meta.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:,https://help.instagram.com/519522125107875 and.

Further information on this can be found in Instagram’s privacy policy: https://instagram.com/about/legal/privacy/.

 

Newsletter 

 

GetResponse 

We use the GetResponse service, provided by GetResponse S.A. (Arkonska 6, A3, 80-387 Gdansk, Poland), for managing and sending our newsletters.

When you agree to sign up for our newsletters, the data you provide is collected and stored on the servers of GetResponse. This service allows us to manage our subscriber list, send out our newsletters, and analyze the effectiveness of our campaigns.

1. Types of Data Processed

When you subscribe to our newsletter, GetResponse collects and processes the following personal data on our behalf:

• Contact Information: Your email address, and optionally your first and last name if you provide them.
• Technical Data: Your IP address and the date and time of your subscription.
• Interaction Data: Information about your interaction with our newsletters, such as whether you opened an email, clicked on links within it, or unsubscribed.

2. Purpose of Data Processing

We process the data collected via GetResponse for the following purposes:

• Newsletter Distribution: To send you our newsletter, which may contain information about our products, services, and company news.
• Personalization: To personalize the content of our newsletters and address you by name (if provided).
• Statistical Analysis: To analyze the performance of our newsletter campaigns and improve our content based on user interaction (e.g., open and click rates).
• List Management: To maintain and manage our subscriber list and ensure that we only send newsletters to interested individuals.

3. Legal Basis for Processing

The processing of your data for the newsletter service is based on your explicit consent, in accordance with Art. 6 (1) lit. a GDPR. You provide this consent when you actively sign up for our newsletter.

4. Data Transfer to Third Countries

GetResponse S.A. is a company based in Poland, which is a member of the European Union. This means that your personal data is primarily processed within the EU, which is subject to the strict data protection standards of the GDPR.

GetResponse may use sub-processors located outside of the EU. In such cases, GetResponse is committed to ensuring that data transfers are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the EU Commission, to maintain a high level of data protection.

You can find more information about GetResponse’s privacy policy at: https://www.getresponse.com/legal/privacy

5. Your Rights as a Data Subject

You have the right to withdraw your consent at any time. You can easily do this by clicking the “unsubscribe” link provided in every newsletter email. Withdrawing your consent does not affect the lawfulness of processing carried out before the withdrawal.

You also have the right to request access to, correction of, or deletion of your personal data. You may also request a restriction of processing or object to the processing. To exercise any of these rights, please contact the data controller listed above.

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

6. Duration of Storage

The personal data collected for the newsletter service is stored for as long as you remain a subscriber. Your data will be deleted as soon as you unsubscribe from the newsletter or when you withdraw your consent, except for a record of your unsubscription to prevent future mailings.

 

User Behavior 

 

Google Analytics (analysis cookie)

We use functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses “cookies.” The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.

The processing is carried out for the purpose of analyzing your user behavior to improve our offer and adapt it to your wishes. The processing only takes place with your consent, which you can withdraw at any time (see the section “Cookies (general explanation)”).

IP anonymization

We have activated the IP anonymization function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet use to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Demographic characteristics in Google Analytics

We use the “demographic characteristics” function of Google Analytics. This allows reports to be created that contain statements about the age, gender, and interests of site visitors. This data comes from Google’s interest-based advertising and from visitor data from third-party providers. This data cannot be assigned to a specific person.

Storage period

Privacy Policy – Version from 01.08.2025 

Data stored by Google at the user and event level that is linked to cookies, user IDs (e.g., User ID), or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) will be anonymized or deleted after 26 months. You can find details on this under the following link:

https://support.google.com/analytics/answer/7667196?hl=de

 

WP Statistics (analysis cookie)

This website uses the WP Statistics tool. The provider of the tool is Verona Labs, New York, USA. (https://veronalabs.com). WP Statistics uses cookies.

The processing is carried out for the purpose of analyzing your user behavior to improve our offer and adapt it to your wishes. The processing only takes place with your consent, which you can withdraw at any time (see the section “Cookies (general explanation)”).

WP Statistics cookies remain on your device until you delete them or withdraw your consent.

Further information can be found in Verona Labs’ privacy policy at: https://wp-statistics.com/privacy-and-policy/

 

Other Data Processing

 

Technical Data (Server Log Files)

We automatically collect and store technical information in what are known as server log files, which your browser automatically transmits to us. These include, for example, browser type and version, operating system used, time of the server request, and your IP address.

We do not merge this data with other data sources. The data is only used to ensure the error-free operation of the website.

The collection of this data is based on Art. 6 para. 1 f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of their website.

 

Google Web Fonts

This site uses what are known as web fonts, provided by Google, for the uniform display of fonts. When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.

For this purpose, the browser you are using must connect to Google’s servers. This gives Google knowledge that this website was accessed via your IP address.

The use of Google Web Fonts is based on a legitimate interest in the uniform presentation of the font on its website (Art. 6 para. 1 f GDPR).

If your browser does not support web fonts, a standard font from your computer will be used.

Privacy Policy – Version from 01.08.2025 

Further information on Google Web Fonts: https://developers.google.com/fonts/faq 

Google’s privacy policy: https://policies.google.com/privacy?hl=de 

 

Inquiry by email or phone

If you contact us by email or phone, your inquiry, including all resulting personal data (e.g., phone number, time, sender, name, inquiry), will be processed. Your phone number is processed even if no one has yet answered your call. The data in your email is also processed if no one in our company has yet read the email.

We process your data with your consent (Art. 6 para. 1 a), which you can withdraw at any time. In this case, your data will remain with us until you ask us to delete it, you withdraw your consent to storage, or the purpose for data storage no longer applies (e.g., after your inquiry has been processed).

If your inquiry is related to a new or existing contract with us, we may process the data for this reason (Art. 6 para. 1 b GDPR). In addition, we are also legally obliged to continue processing this inquiry (Art. 6 para. 1 c GDPR in conjunction with §257 HGB). In this case, we are obliged to keep your inquiry for at least six years. Further legal obligations, for example from tax law, can also lead to longer retention periods.

 

Who else do we pass your data on to?

The fulfillment of legal obligations and the execution of our business operations make it necessary for us to pass your data on to other people, companies, or authorities.

On the one hand, these are so-called processors who process your data on our behalf (Art. 28 GDPR). Ultimately, however, we remain responsible for the processing.

Other recipients of your data include, for example:

• Tax, audit, or other authorities
• The Chamber of Commerce and Industry
• Our tax advisor

You can find out at any time who your data has been passed on to by us.

 

Hosting and Content Delivery Networks (CDN)

This website is hosted by an external service provider (web host). The personal data collected on this website is stored on the hoster’s servers. This can include, in particular, IP addresses, contact inquiries, meta and communication data, contract data, contact data, names, website access, and other data generated via a website.

The use of the web host is for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast, and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).

Our web host will only process your data to the extent necessary to fulfill its service obligations and will follow our instructions regarding this data.

 

Google Calendar

Our website uses the Google Calendar service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), to enable you to book appointments with us directly.

When you interact with the embedded Google Calendar to schedule a meeting, Google collects and processes information on our behalf. This process allows us to manage appointments efficiently and provides you with a convenient way to book a time slot.

1. Types of Data Processed

Depending on your interaction with the calendar, Google may collect and process the following personal data:

• Contact Information: Your name and email address.
• Appointment Details: The date, time, and purpose of the appointment.
• Technical Data: Your IP address, device information, and browser details.

This data is used to create and manage the calendar event. Google provides us with access to the event details so we can prepare for our meeting with you.

2. Purpose of Data Processing

We process the data collected via Google Calendar for the following purposes:

• Appointment Management: To facilitate and manage your appointment booking with us.
• Communication: To contact you regarding your appointment.
• Service Improvement: To understand demand for appointments and optimize our scheduling process.

3. Legal Basis for Processing

The processing of your data through Google Calendar is based on your consent, in accordance with Art. 6 (1) lit. a GDPR, which you give when you actively use the calendar to book an appointment. You can withdraw your consent at any time by contacting us, though this will not affect the lawfulness of any processing that occurred before your withdrawal.

In some cases, the processing may also be necessary for the performance of a contract or to take steps at your request before entering into a contract, in accordance with Art. 6 (1) lit. b GDPR.

4. Data Transfer to Third Countries

Google is a US-based company, and your data may be transferred to and processed in the USA. To ensure a high level of data protection, Google participates in the EU-US Data Privacy Framework and uses Standard Contractual Clauses approved by the EU Commission. These measures are designed to ensure that your data remains protected in accordance with EU data protection standards.

For more information, you can read Google’s privacy policy at: https://policies.google.com/privacy

5. Your Rights as a Data Subject

You have the right to request access to, correction of, or deletion of your personal data. You also have the right to restrict the processing of your data or to object to its processing.

If the data processing is based on your consent, you have the right to withdraw it at any time. To exercise any of these rights, please contact the data controller listed above.

You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

6. Duration of Storage

Data collected via Google Calendar is stored for as long as necessary to manage your appointment and for a reasonable period thereafter, in accordance with our data retention policies and legal obligations.

 

Google Drive

We use the cloud service Google Drive, provided by Google Inc. The services for the European market are managed by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

When we use Google Drive to store and manage documents and other data, your personal information may be processed. This typically occurs when we save documents you have provided to us or files containing your data (e.g., contracts, proposals, or communications).

1. Types of Data Processed

The personal data stored on Google Drive may include, but is not limited to:

• Contact Information: Names, email addresses, phone numbers, and physical addresses.
• Communication Data: Emails, messages, and other correspondence.
• Document and File Data: Any personal information contained within documents, spreadsheets, presentations, or other files that we store in our Google Drive.
• Technical Data: As part of Google’s service, some technical data related to the use of the platform (e.g., access times, IP addresses) may be processed.

2. Purpose of Data Processing

We process the data stored on Google Drive for the following purposes:

• Business Operations: To organize, store, and manage our business documents and files, including those related to our customers and partners.
• Collaboration: To facilitate internal and external collaboration by securely sharing documents.
• Fulfilling Legal Obligations: To store records as required by law (e.g., for tax or commercial purposes).
• Service Provision: To provide and improve our services to you.

3. Legal Basis for Processing

The processing of your data through Google Drive is primarily based on one or more of the following legal bases:

• Performance of a contract: The processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, in accordance with Art. 6 (1) lit. b GDPR.
• Legitimate interests: The processing is necessary for the purposes of our legitimate interests, such as effective business management, secure document storage, and efficient collaboration, in accordance with Art. 6 (1) lit. f GDPR.

4. Data Transfer to Third Countries

Google Inc. is a US-based company, which means your data may be transferred to and processed in the USA. To ensure an adequate level of data protection, Google participates in the EU-US Data Privacy Framework. This framework is a mechanism to ensure the correct and secure transfer of personal data of EU citizens to the USA.

Furthermore, Google uses Standard Contractual Clauses (SCCs) approved by the EU Commission. These are model clauses that guarantee an appropriate level of data protection, ensuring your data is protected according to European standards even when processed in a third country like the USA.

You can find more information about Google’s privacy policy at: https://policies.google.com/privacy

8. Your Rights as a Data Subject

You have the right to request access to, correction of, or deletion of your personal data. You also have the right to restrict the processing of your data or to object to its processing.

If the data processing is based on your consent, you have the right to withdraw it at any time. To exercise any of these rights, please contact the data controller listed above.

You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

9. Duration of Storage

The data stored on Google Drive is retained for as long as it is necessary for the purposes mentioned above, or as required by law (e.g., for commercial or tax reasons). We will delete your data once these purposes no longer apply.

 

Microsoft 365

For internal work, we use the software cloud service Office 365 from Microsoft Corporation,One Microsoft Way, Redmond, WA 98052-6399 in the USA for email processing, telecommunications, and file storage. For this reason, data that you give us via our contact form is transferred to Microsoft so that we can view it and contact you.

Further information and the provider’s applicable data protection regulations can be accessed at the following link: https://privacy.microsoft.com/de-de/privacystatement

 

DocuSign

We use the DocuSign service from DocuSign, Inc. (hereinafter “DocuSign”) to securely send, sign, and manage documents electronically.

When you sign a document we send you via DocuSign, certain information about your interaction is automatically collected by DocuSign. The processing of this data is carried out on our behalf and serves to enable and verify the electronic signing process.

1. Type of Data Processed

DocuSign collects and processes the following data about you, depending on your interaction with the document:

• Identification Data: Your name, email address, and IP address.
• Signature Data: The electronic signature you provide.
• Interaction Data:
  • The fact that you have opened, viewed, and signed the document.
  • Date and time of these actions.
  • Your location at the time of signing.
  • Device and browser information.

This data is provided to us by DocuSign in the form of a certificate of completion, which serves as a legal record of the transaction.

2. Purpose of Data Processing

The processing of the above data serves the following purposes:

• Legal and contractual necessity: The use of DocuSign allows us to fulfill our legal and contractual obligations to you by obtaining legally binding electronic signatures.
• Verification and security: The collected data helps to verify the identity of the signer and ensures the integrity and security of the signed documents.
• Record keeping: The data is used to create a comprehensive and auditable record of the signing process.

3. Legal Basis for Processing

The processing of your data by DocuSign is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract, in accordance with Art. 6 (1) lit. b GDPR. In some cases, the processing may also be based on our legitimate interest in maintaining a secure and verifiable signing process, in accordance with Art. 6 (1) lit. f GDPR.

4. Data Transfer to Third Countries

DocuSign, Inc. is a US-based company, and your data may be transferred to and processed in the USA. DocuSign uses standard contractual clauses from the EU Commission to ensure an adequate level of data protection in accordance with the requirements of the GDPR.

You can find more information about DocuSign’s privacy policy at: https://www.docusign.com/privacy/

5. Your Rights as a Data Subject

You have the right at any time to receive information about your processed data, its origin, and the purpose of the processing. Furthermore, you have the right to correction, deletion, or restriction of the processing of your data.

You can object to the processing of your personal data, which is based on Art. 6 (1) lit. f GDPR, at any time. To do so, please contact the data controller mentioned above.

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

6. Duration of Storage

The data collected via DocuSign is stored for as long as it is necessary for the purposes mentioned above, or as required by law (e.g., for commercial or tax reasons).

7. Your Rights as a Data Subject

You have the right at any time to receive information about your processed data, its origin, and the purpose of the processing. Furthermore, you have the right to correction, deletion, or restriction of the processing of your data.

You can object to the processing of your personal data, which is based on Art. 6 (1) lit. f GDPR, at any time. To do so, please contact the data controller mentioned above.

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

8. Duration of Storage

The data collected via DocSend is stored for as long as it is necessary for the purposes mentioned above or until you object to the processing.

 

OWNLY Platform 

To provide our clients with a comprehensive, secure, and modern digital platform for asset overview and reporting, Kapstone Solutions utilizes the specialized client platform service known as Kapstone Portal provided by Ownly FinTech GmbH (Getrudenstraße 9, 20095 Hamburg, Germany). Ownly FinTech GmbH operates the OWNLY Platform, including the OWNLY Advisor application.

In this relationship, Kapstone Solutions is the Data Controller (determining the purposes and means of processing), and Ownly FinTech GmbH acts as our Data Processor (processing the data on our behalf and according to our instructions).

1. Data Processed by Ownly FinTech GmbH

As part of providing the client platform service, Ownly FinTech GmbH processes the following categories of personal data on our behalf:

• Client Identification Data: Name, contact details (e-mail address, phone number), and any login credentials required for platform access.
• Financial and Asset Data: Information regarding your aggregated assets, including banking information, custody account details, illiquid assets (e.g., real estate), and performance data, as necessary to generate your wealth reports and provide a consolidated overview.
• Technical/Usage Data: Information related to your use of the platform, such as IP address, browser information, and login times, used for security, service delivery, and statistical analysis.

2. Purpose and Legal Basis for Processing

The data is processed by Ownly FinTech GmbH strictly for the purpose of delivering the contracted client platform services to Kapstone Solutions, which include:

• Providing a consolidated digital overview of your assets.
• Generating comprehensive wealth and performance reports.
• Ensuring the technical operation, security, and maintenance of the client platform.

The legal basis for this processing is the contract between the client and Kapstone Solutions GmbH (Art. 6(1)(b) GDPR), or our legitimate interest in using a secure and professional service provider (Art. 6(1)(f) GDPR), as applicable.

3. Data Security and Location

We have established a formal Data Processing Agreement with Ownly FinTech GmbH, which contractually binds them to implement technical and organizational measures to protect your personal data, consistent with the requirements of the General Data Protection Regulation (GDPR).

Key security features of the Ownly FinTech platform include:

• Secure Storage: All data is stored on a central, separate server located exclusively in Germany.
• Encryption: Personal data is encrypted throughout and protected by SSL standards during transmission.
• Access Control: Ownly FinTech GmbH employees and third parties do not have unauthorized access to your passwords and account data.
• Certification: Ownly FinTech GmbH utilizes a German server provider certified to the highest security standards, including ISO 27001 and BSI (German Federal Office for Information Security) compliance.

4. Client Rights and Contact

As the Data Controller, Kapstone Solutions remains the primary point of contact for exercising your data subject rights (e.g., right of access, rectification, or erasure) concerning the data held on the Ownly Platform.

• To exercise your rights, please contact us directly at contact@kapstone.solutions
• For more detailed information on data security and processing procedures of the platform provider, you may consult the public Privacy Policy of Ownly FinTech GmbH, which is available on their website at https://www.ownly.de/datenschutzerklarung

 

Calendly

Our website uses the scheduling service Calendly, provided by Calendly LLC, 115 E Main St, Ste A1B, Rockmart, GA 30153, USA, to allow you to book and manage appointments with us conveniently.

When you use the integrated Calendly widget or link to schedule an appointment, your data is processed on our behalf to facilitate the booking process and synchronize our schedules.

 

1. Types of Data Processed

When booking an appointment via Calendly, the following personal data is typically collected:

• Contact Information: Name, email address, and phone number (if required).
• Appointment Details: Subject of the meeting, preferred date and time, and any notes or messages you provide in the booking form.
• Technical Data: IP address, time of the request, and browser information.
• Calendar Data: Information regarding the specific time slot selected.

 

2. Purpose of Data Processing We process this data for the following purposes:

• Scheduling: To enable you to select and book available time slots for consultations or meetings.
• Confirmation and Reminders: To send you automated booking confirmations and meeting reminders via email or SMS.
• Organization: To manage our internal business calendar and prepare for the scheduled interaction.

 

3. Legal Basis for Processing 

The processing of your data through Calendly is based on your consent in accordance with Art. 6 (1) lit. a GDPR, which you provide by actively using the scheduling tool. If the appointment serves the preparation or performance of a contract (e.g., a preliminary consultation), the legal basis is Art. 6 (1) lit. b GDPR.

 

4. Data Transfer to Third Countries 

Calendly LLC is a provider based in the USA. Consequently, your data may be transferred to and stored on servers in the United States. To ensure an adequate level of data protection, Calendly utilizes Standard Contractual Clauses (SCCs) approved by the EU Commission and participates in the EU-US Data Privacy Framework. These measures ensure that your data is protected according to European standards. You can find more information in Calendly’s privacy policy: https://calendly.com/privacy

 

5. Your Rights as a Data Subject 

You have the right to access, correct, or delete your personal data. If the processing is based on consent, you may withdraw it at any time with effect for the future. Please note that deleting this data may result in the cancellation of your scheduled appointment. To exercise your rights, please contact the data controller listed in this policy.

 

6. Duration of Storage 

The data collected via Calendly will be stored by us for as long as necessary to process the appointment request or until the purpose for storage no longer applies. Legal retention periods (e.g., for commercial or tax purposes) remain unaffected.

 

DocSend

We use the DocSend service, provided by DocSend Inc. (a subsidiary of Dropbox, Inc.), 180 Sansome St, San Francisco, CA 94104, USA, to securely share, manage, and track access to our business documents and presentations.

When you access a document via a DocSend link provided by us, certain information about your interaction is collected. This allows us to protect our intellectual property and understand which content is most relevant to our clients.

 

1. Types of Data Processed 

Depending on the settings of the specific document link, DocSend may collect the following data:

• Identification Data: Your email address (if required for access) and IP address.
• Engagement Data: Which pages of a document you viewed, the duration of time spent on each page, and whether the document was downloaded or forwarded.
• Technical Data: Device type, operating system, and browser information.

 

2. Purpose of Data Processing 

The processing of this data serves the following purposes:

• Information Security: To control and monitor access to confidential business documents.
• Analytics: To analyze how our documents are used and to improve the quality and relevance of our information.
• Follow-up: To provide targeted information and responses based on your interest in specific document sections.

 

3. Legal Basis for Processing 

The processing is based on our legitimate interest (Art. 6 (1) lit. f GDPR) in the secure provision of our business documents and the analysis of our service’s effectiveness. If you provide your email address to access a document, the processing may also be based on your consent (Art. 6 (1) lit. a GDPR) or for the performance of a contract (Art. 6 (1) lit. b GDPR).

 

4. Data Transfer to Third Countries 

DocSend is a US-based service. To ensure an adequate level of data protection, Dropbox/DocSend relies on Standard Contractual Clauses (SCCs) approved by the EU Commission and participates in the EU-US Data Privacy Framework. This ensures that your personal data is treated in accordance with European data protection standards. Further information can be found in DocSend’s privacy policy: https://www.docsend.com/privacy/

 

5. Your Rights as a Data Subject 

You have the right at any time to request information about your processed data, its origin, and the purpose of the processing. You also have the right to correction, deletion, or restriction of the processing. You may object to the processing of your data based on legitimate interests at any time. To exercise these rights, please contact the data controller mentioned above.

 

6. Duration of Storage 

The data collected via DocSend is stored for as long as it is necessary for the purposes mentioned above or until you object to the processing, provided that no legal retention obligations (e.g., commercial or tax laws) prevent its deletion.

 

User Rights

 

What are your rights?

Since we process your personal data, you have various rights (Art. 15 to 22 and Art. 77 GDPR). We are happy to help you exercise your rights.

We would therefore like to inform you about your rights at this point:

 

Withdrawal of your consent to data processing

If you have consented to processing, you can withdraw this consent at any time for the future. An informal email to us is sufficient for this. You can also choose any other way to inform us.

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, you have the right to lodge a complaint with a supervisory authority. An overview of the German authorities can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

 

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically feasible.

 

Information, deletion, and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient, and the purpose of the data processing and, if applicable, a right to correct or delete this data. You can contact us at any time for this (see the section “Who processes your data?”). An informal email to us is sufficient for this. You can also choose any other way to inform us.

 

Right to object to data collection in special cases and direct marketing

IF THE DATA PROCESSING IS BASED ON ART. 6 PARA. 1 F GDPR (LEGITIMATE INTEREST), YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING. THE RESPECTIVE LEGAL BASIS ON WHICH A PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED, UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS OR THE PROCESSING SERVES THE ASSERTION, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (OBJECTION ACCORDING TO ART. 21 PARA. 1 GDPR).

 

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us for this (see the section “Who processes your data?”).

The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.

If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.

If we no longer need your personal data, but you need it to assert, exercise, or defend legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.

If you have lodged an objection according to Art. 21 para. 1 GDPR, a balancing of your interests and ours must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person or for reasons of an important public interest of the European Union or a member state.

Privacy Policy – Version from 01.01.2026