PRIVACYPolicy

IONOS

The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (hereinafter IONOS). When you visit our website, IONOS collects various log files including your IP addresses. The servers are located in Germany.

For details, please refer to the privacy policy of IONOS: https://www.ionos.de/terms-gtc/terms-privacy.

The use of IONOS is based on Art. 6(1)(f) GDPR. We have a legitimate interest in our website being displayed as reliably as possible. If consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data processing agreement

We have concluded a data processing agreement (AVV) for the use of the above-mentioned service. This is a contract required by data protection law that ensures IONOS processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Privacy

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data-protection regulations and this privacy policy.

Responsible body

The body responsible for data processing on this website is:

Designer Spanndecken Baarstraße 23 58636 Iserlohn Germany Phone: +49 172 2895055 Email: info@designer-spanndecken.de

Storage period

Unless a more specific storage period has been mentioned within this privacy policy, your personal data will remain with us until the purpose of the data processing no longer applies. If you assert a justified deletion request or revoke consent to data processing, your data will be deleted, unless statutory retention obligations apply.

The following specific retention periods apply:

• Contact requests (website forms, emails): up to 90 days after final handling of your request, provided no contractual relationship arises.
• Contract data (order, quote, correspondence related to the works contract): at least 6 years after contract conclusion due to commercial and tax-law obligations (§ 147 AO); 10 years for accounting records and invoices (§ 257 HGB).
• Server log files (IP address, user agent, access time, referer): 14 days, then automatic deletion. The IP address is pseudonymised in the logs (last octet set to 0).
• Consent logs (e.g. form consent): for as long as the consent has effect; thereafter, for evidentiary purposes pursuant to Art. 7(1) GDPR, up to 3 years.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke consent that has already been given at any time. The lawfulness of the data processing carried out before the revocation remains unaffected.

Data Protection Officer

Due to the size of our business (sole proprietorship), we are not legally required to appoint a Data Protection Officer (§ 38 BDSG: appointment becomes mandatory only when at least 20 persons are continuously involved in the automated processing of personal data).

Please direct data protection inquiries to the controller listed above.

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the browser address line changing from "http://" to "https://" and by the lock icon in your browser bar.

When SSL/TLS encryption is active, the data you transmit to us cannot be read by third parties.

Your rights as a data subject

You have the following rights with regard to your personal data, where the legal requirements are met:

• Right of access to your personal data stored by us and to information on its processing (Art. 15 GDPR).
• Right to rectification of inaccurate personal data (Art. 16 GDPR).
• Right to erasure of your data stored by us (Art. 17 GDPR).
• Right to restriction of processing, where we are not yet permitted to delete your data due to legal obligations (Art. 18 GDPR).
• Right to object to the processing of your data (Art. 21 GDPR).
• Right to data portability, where you have consented to data processing or have entered into a contract with us (Art. 20 GDPR).
• Right to withdraw consent at any time. The legality of processing carried out on the basis of consent until its withdrawal remains unaffected (Art. 7(3) GDPR).

Right to lodge a complaint with the supervisory authority

In the event of breaches of data protection law, you have a right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen Kavalleriestraße 2-4 40213 Düsseldorf, Germany Phone: +49 211 38424-0 Email: poststelle@ldi.nrw.de Web: https://www.ldi.nrw.de

Transfer to third countries

Your personal data is not transferred to third countries (countries outside the European Union and the European Economic Area). Our hosting provider (IONOS SE) operates its servers exclusively in Germany.

Automated decision-making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place on this website.

Cookies

Our websites use so-called "cookies". Cookies are small data packages and do not cause any damage to your device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies).

Server log files

The provider of these pages automatically collects and stores information in so-called server log files, which your browser transmits to us automatically. These are:

• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of the server request
• IP address

Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. We do not share this data without your consent.

Enquiries by email, phone or fax

If you contact us by email, phone or fax, your enquiry, including all personal data arising from it (name, request), will be stored and processed by us for the purpose of handling your enquiry. We do not share this data without your consent.

Service Worker / Progressive Web App

This website uses a Service Worker (sw.js) to make content available offline and to reduce loading time on repeat visits (Progressive Web App, PWA). The Service Worker stores static resources (HTML, CSS, JavaScript, images, fonts) in your device's browser cache.

No personal data is collected or transmitted to us in this process — the cache resides exclusively on your device. You can delete the cache at any time via your browser settings or disable the Service Worker.

Legal basis is Art. 6(1)(f) GDPR (legitimate interest in fast, reliable provision of the website).

Google Maps

If you enable the service in the cookie banner, we display Google Maps content. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. When the map loads, your IP address is transferred to Google. As long as the service is not enabled, no data is transferred to Google.

Fonts (locally hosted)

For consistent typography this website uses fonts that are hosted locally on our own server. No connection to third-party servers (such as the Google Fonts CDN) is established; your IP address is not transmitted to external providers when fonts are loaded.

Social media

Our website contains links to our profiles on social networks (Instagram, TikTok, Facebook). These are plain hyperlinks without embedded tracking technologies — data transfer to the respective platforms does not occur when you simply visit our pages, but only after you click on one of the links.

On click, your browser is redirected to the respective platform. The platform operator may collect data (e.g. IP address, browser information, date and time of access). The scope and purposes of processing are governed by the respective provider's own privacy policy:

• Instagram (Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland): https://privacycenter.instagram.com/policy/
• TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland): https://www.tiktok.com/legal/page/eea/privacy-policy/en
• Facebook (Meta Platforms Ireland Ltd, address as above): https://www.facebook.com/about/privacy

Google Tag Manager (GTM)

When you enable the "Usage analytics" category in the cookie banner, we load Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Tag Manager itself is a tool we use to manage and load other measurement tags (e.g. Google Analytics 4) — it does not collect personal data independently of those tags.

As long as you have not enabled the category, no script is loaded and no data is transmitted to Google. Once enabled, your truncated IP address and technical browser information may be transmitted to Google. Any onward transfer to the United States takes place on the basis of the EU-US Data Privacy Framework (Art. 45 GDPR).

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via the "Cookie settings" link in the footer.

Further information: https://policies.google.com/privacy?hl=en

Microsoft Clarity

When you enable the "Microsoft Clarity" category in the cookie banner, we record anonymised session traces (mouse movement, scroll and click events) and build heatmaps from them. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland ("Microsoft").

Input fields (e.g. name, phone, e-mail in the contact form) and content marked as sensitive are automatically masked by Clarity and do not enter the recording. Without your consent no script is loaded and no recording takes place.

We collect in particular: truncated IP address, browser and device information, pages visited and timestamps, and aggregated interaction data. Transfer to Microsoft servers in the United States may occur on the basis of the EU-US Data Privacy Framework (Art. 45 GDPR).

Retention: up to 13 months. Legal basis: Art. 6(1)(a) GDPR (consent), withdrawable at any time via "Cookie settings".

Further information: https://privacy.microsoft.com/en-us/privacystatement

Content management system (Strapi)

To manage the content of our website we use the open-source CMS Strapi (https://strapi.io/). Strapi runs on the same IONOS server in Germany as the website itself and is accessible via a separate sub-domain (cms.designer-spanndecken.de) exclusively for administrative purposes (login of authorised staff). The sub-domain is additionally protected via Basic Authentication and hidden from search engines via a `noindex` directive.

When you simply visit our website, no direct data transfer from your browser to the Strapi instance takes place — content and images are delivered server-side via the Next.js Image Optimisation process; your browser communicates exclusively with the main-domain server.

When authorised staff log in to the Strapi admin backend, standard login data is processed for authentication and abuse prevention: IP address, login timestamp, user agent. This data is stored for 14 days in the system logs (see the Server Log Files section).