Privacy Policy

Dear visitor to this website, the protection of your personal data is not only important to you, but also to us, the controller of the "Machine Spirits" website (hereinafter referred to as "we", "us"). We appreciate your trust that we will handle your personal data conscientiously and in accordance with the law. Your data will be treated confidentially by us. With this data protection notice, we not only wish to comply with our legal obligation under Art. 13 and 14 GDPR, but also to provide you with a clear description of what personal data is collected when you visit our website and how we handle it.

1. Controller

The controller pursuant to Art. 24 GDPR is

Machine Spirits UG (limited liability)
c/o Startplatz
Im Mediapark 5
50670 Cologne, Germany

You can contact the controller with your concerns at any time using the contact details above or via e-mail at [email protected].

2. Provision of the Website

This section explains which of your data we process in order to provide you with our website.

2.1 Provision of our Website

2.1.1 Purposes

This processing serves the external presentation of our company.

2.1.2 Types of Data

We process connection data (access data and terminal device data) as categories of data relating to you.

2.1.3 Legal Basis

The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 para. 1 subpara. 1 lit. b GDPR.

2.1.4 Requirement

The processing of the above-mentioned data relating to you is necessary for you to contact us. If you do not provide us with the above-mentioned data relating to you, we will not be able to display our website to you.

2.1.5 Storage Period

The storage period is for the duration of the browser session.

2.1.6 Recipients

The above-mentioned data relating to you will be processed by our website host Cloudflare, Inc, 101 Townsend Street, San Francisco, CA 94107, USA as our processor. The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.

2.2 Website Security

2.2.1 Purposes

This processing serves to ensure the trouble-free operation of the website.

2.2.2 Types of Data

We process connection data (access data and terminal device data) and your system information as categories of data relating to you.

2.2.3 Legal Basis

The legal basis is Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Art. 24 and Art. 32 GDPR. We are legally obligated to ensure the security of processing and the trouble-free operation of the website.

2.2.4 Storage Period

The storage duration is 30 days.

2.2.5 Recipients

The above-mentioned data relating to you will be processed by our website host Cloudflare, Inc, 101 Townsend Street, San Francisco, CA 94107, USA as our processor. The above-mentioned data relating to you will be transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.

3. Contacting Us

This section explains how you can contact us and which of your data we process when you contact us.

3.1 Contact Us by E-Mail or Telephone

3.1.1 Purposes

Processing by email or phone serves to answer inquiries as well as customer acquisition, contract processing, and press/data protection inquiries.

3.1.2 Data Types

We process your contact data (email address or phone number) and the content of your inquiry as categories of data relating to you.

3.1.3 Legal Basis

The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 Para. 1 Subpara. 1 lit. b GDPR.

3.1.4 Necessity

The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we cannot process your request.

3.1.5 Storage Duration

The storage duration is six months unless a contract has been concluded. The contract-relevant data will then be stored in accordance with the respective regulations.

3.1.6 Recipients

When contacting us by email, the above-mentioned data relating to you is transmitted to our email host Gmail of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The above-mentioned data relating to you is transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.

3.2 Scheduling a Consultation Appointment

3.2.1 Purposes

This processing serves to arrange a consultation appointment with us.

3.2.2 Data Types

We process appointment data, your name, your email address, as well as other voluntary information as categories of data relating to you.

3.2.3 Legal Basis

The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 Para. 1 Subpara. 1 lit. b GDPR.

3.2.4 Necessity

The processing of the above-mentioned data relating to you is necessary for processing your request. If you do not provide us with the above-mentioned data relating to you, we cannot process your request.

3.2.5 Storage Duration

The storage duration is six months unless a contract has been concluded. The contract-relevant data will then be stored in accordance with the respective regulations.

3.2.6 Recipients

When arranging a consultation appointment, the above-mentioned data relating to you is transmitted to our email host Gmail of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The above-mentioned data relating to you is transferred to the USA as a third country with an adequacy decision pursuant to Art. 45 GDPR.

3.3 Contact Form Submission

3.3.1 Purposes

This processing serves to receive and manage contact inquiries submitted through our website contact form.

3.3.2 Data Types

We process your email address, message content, and optionally your name and company name as categories of data relating to you. Your IP address and browser information (page URL, page title) are transmitted to our processor over an encrypted (TLS) connection.

3.3.3 Legal Basis

The legal basis is the implementation of necessary pre-contractual measures and fulfillment of contracts pursuant to Art. 6 Para. 1 Subpara. 1 lit. b GDPR.

3.3.4 Necessity

The processing of your email address and message is necessary to process your contact request. If you do not provide this data, we cannot process your inquiry.

3.3.5 Storage Duration

The storage duration is six months unless a contract has been concluded. Contract-relevant data will then be stored in accordance with the respective regulations.

3.3.6 Recipients

When you submit the contact form, your data is transmitted directly from your browser to HubSpot as our processor for contact management and CRM (HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland, and HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA). We use HubSpot's EU data center; the submission is transmitted to servers within the European Union. To the extent data is transferred to the USA, the transfer is safeguarded by the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR), where HubSpot holds a current certification, or otherwise by standard contractual clauses pursuant to Art. 46 GDPR.

4. Web Analytics and Visitor Tracking

This section explains which of your data we process to understand how our website is used. We do not use session recording: no visual recording of your visit takes place.

4.1 Cloudflare Web Analytics

4.1.1 Purposes

This processing serves to measure aggregate website usage (page views, visits, referrers, countries, load performance) in order to improve our website.

4.1.2 Types of Data

We process connection data and aggregated usage data. Cloudflare Web Analytics does not use cookies, does not store information on your device, and does not create individual visitor profiles; measurements are aggregated.

4.1.3 Legal Basis

The legal basis is Art. 6 para. 1 subpara. 1 lit. f GDPR. Our legitimate interest is the statistical analysis of website usage in order to improve our offering.

4.1.4 Storage Period

Data is processed in aggregated form; no individual usage profiles are stored.

4.1.5 Recipients

The data is processed by Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, as our processor. To the extent data is transferred to the USA, the transfer is safeguarded by the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR), where Cloudflare holds a current certification, or otherwise by standard contractual clauses pursuant to Art. 46 GDPR.

4.1.6 Your Right to Object

In accordance with Art. 21 GDPR, you have the right to object to the processing of your personal data as described above if there are grounds relating to your particular situation. You can exercise your right to object by sending an email to [email protected].

4.2 Web Analytics with PostHog

4.2.1 Purposes

This processing serves to understand how visitors use our website (pages viewed, navigation paths, interactions with page elements) in order to improve our website, our content, and our services, and, with your consent, to recognize returning visitors and analyze usage across multiple visits.

4.2.2 Operating Modes

We operate PostHog in two modes. Without your consent, the tool runs in a session-only mode: no cookies are set and no information is stored on your device; usage data is processed pseudonymously and cannot be linked to you across visits. With your consent, PostHog additionally stores a recognition token on your device so that repeat visits can be linked: a cookie (name beginning with "ph_", lifetime twelve months) and a corresponding entry in your browser's local storage that remains until you withdraw consent or clear your browser storage. Data collected before your consent is not linked to this token. We do not use session recording in either mode.

4.2.3 Types of Data

We process connection data, terminal device data, and usage data (pages viewed, clicks, scroll behavior, session duration, referrer). Your IP address is used to deliver the data; PostHog derives an approximate location (country, region, city) from it and then discards the raw IP address, so it is not stored with the collected events. With consent: additionally the recognition token described above. If you submit our contact form after giving consent, your usage data is linked to your inquiry, including your email address.

4.2.4 Legal Basis

For the session-only mode, the legal basis is Art. 6 para. 1 subpara. 1 lit. f GDPR; our legitimate interest is the analysis and improvement of our website. For the extended mode (recognition token), the legal basis is your consent pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR and § 25 para. 1 TDDDG.

4.2.5 Storage Period

Usage data is stored for a maximum of twelve months and then deleted or anonymized. The recognition cookie is stored on your device for twelve months; the corresponding local-storage entry remains until you withdraw consent or clear your browser storage.

4.2.6 Recipients

The data is processed by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA, as our processor. Processing and storage take place exclusively on servers in Frankfurt am Main, Germany (PostHog EU Cloud). The data is transmitted via an endpoint on our own domain. To the extent PostHog, Inc. as a US company can access the data, the transfer is safeguarded by the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR), where PostHog holds a current certification, or otherwise by standard contractual clauses pursuant to Art. 46 GDPR.

4.2.7 Objection and Withdrawal

For the session-only mode (based on Art. 6 para. 1 subpara. 1 lit. f GDPR), you have the right under Art. 21 GDPR to object to the processing if there are grounds relating to your particular situation. You can exercise your right to object by sending an email to [email protected]. For the extended mode, the legal basis is your consent (Art. 6 para. 1 subpara. 1 lit. a GDPR). You have the right to withdraw your consent at any time with effect for the future. This does not affect the lawfulness of the processing carried out on the basis of your consent up to the point of withdrawal. You can withdraw your consent to this processing activity at any time by unchecking the "Web analytics" box within the cookie banner or cookie settings (link in the page footer), or by sending an email to [email protected].

4.3 Visitor Tracking with HubSpot

4.3.1 Purposes

This processing serves customer acquisition and customer relationship management: with your consent, we record which pages of our website you visit so that, once you contact us, we can see your previous interest in our services and respond to your inquiry in a more informed way. We also use this data to assess the relevance of inquiries (lead evaluation). This constitutes profiling within the meaning of Art. 4 no. 4 GDPR; no automated decision-making within the meaning of Art. 22 GDPR takes place.

4.3.2 Types of Data

We process connection data, usage data (pages viewed, visit times), and the following cookies: hubspotutk (visitor recognition), __hstc (visit history), __hssc (session tracking), __hssrc (session marker). If you submit our contact form, this usage data is linked to your contact record. If you have also consented to web analytics, your analytics identifier is additionally stored in that record so the two usage histories can be joined.

4.3.3 Legal Basis

The legal basis is your consent pursuant to Art. 6 para. 1 subpara. 1 lit. a GDPR and § 25 para. 1 TDDDG.

4.3.4 Storage Period

The cookies have the following lifetimes: hubspotutk (visitor recognition) six months, __hstc (visit history) six months, __hssc (session tracking) thirty minutes, __hssrc (session marker) until the browser is closed. Usage data linked to a contact record is stored for as long as the contact record itself: six months unless a contract has been concluded, after which contract-relevant data is stored in accordance with the respective statutory retention periods.

4.3.5 Recipients

The data is processed by HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland, and HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA, as our processors. We use HubSpot's EU data center; processing takes place on servers within the European Union. To the extent data is transferred to the USA, the transfer is safeguarded by the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR), where HubSpot holds a current certification, or otherwise by standard contractual clauses pursuant to Art. 46 GDPR.

4.3.6 Withdrawal

You have the right to withdraw your consent at any time with effect for the future. This does not affect the lawfulness of the processing carried out on the basis of your consent up to the point of withdrawal. You can withdraw your consent to this processing activity at any time by unchecking the "CRM & marketing" box within the cookie banner or cookie settings (link in the page footer), or by sending an email to [email protected].

5. Consent Management

5.1 Purposes

This processing serves the management and documentation of your decisions (consent or rejection, separately per purpose) regarding the storage of information on your device and the processing of your data for analytics and marketing purposes (Section 4.2 extended mode and Section 4.3). We are legally obligated to be able to demonstrate given consent (accountability principle, Art. 7 para. 1 GDPR).

5.2 Types of Data

We process your decisions (one separate decision each for the extended analytics mode, Section 4.2, and for HubSpot visitor tracking, Section 4.3), the time of the decision, and technical metadata of the decision. Your decisions are stored in a cookie on your device (ms-consent, twelve months). A record of the decision (consent receipt) is stored in our analytics system.

5.3 Legal Basis

The legal basis for processing the above-mentioned data relating to you is our obligation to provide evidence pursuant to Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Art. 5 para. 2 and Art. 7 para. 1 GDPR. The storage of a cookie on your terminal device, which is technically necessary for administering and documenting your consent, is based on Art. 5 para. 2 GDPR in conjunction with Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with § 25 para. 2 no. 2 TDDDG.

5.4 Necessity

The processing of the above-mentioned data relating to you is necessary for the fulfillment of our legal obligations.

5.5 Storage Period

The consent cookie (ms-consent) is stored for twelve months. We store the consent receipt for twelve months.

5.6 Recipients

Your binding consent state is stored on your device, in the ms-consent cookie. A record of each decision (the consent receipt) is also transmitted to and stored by our analytics processor PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA; this record includes your analytics and marketing decision values. Processing and storage take place exclusively on servers in Frankfurt am Main, Germany (PostHog EU Cloud). A rejection record carries only a session-level pseudonymous identifier and is not linked to you across visits. To the extent PostHog, Inc. as a US company can access the data, the transfer is safeguarded by the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR), where PostHog holds a current certification, or otherwise by standard contractual clauses pursuant to Art. 46 GDPR.

6. Data Subject Rights

Data protection law grants you as a data subject rights concerning the handling of data relating to you. We guarantee you the implementation of your data subject rights in relation to us. More on this in this section.

6.1 Your Data Subject Rights

You have the following rights with regard to the personal data concerning you: right to information and to receive a copy of your data, right to rectification, right to erasure and to be forgotten, right to restriction of processing, right to object to processing, right to data portability. You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us.

6.2 Data Subject Rights Management

6.2.1 Purposes

This processing serves the data protection-compliant handling of data subject rights.

6.2.2 Data Types

We process all categories of data as categories of data relating to you.

6.2.3 Legal Basis

The legal basis for Machine Spirits UG is Art. 6 Para. 1 Subpara. 1 lit. c GDPR in conjunction with Chapter III GDPR.

6.2.4 Necessity

The processing of the above-mentioned data relating to you is necessary for the fulfillment of our legal obligations.

6.2.5 Storage Duration

The storage duration is three years.

6.2.6 Recipients

The above-mentioned data relating to you is processed by our email host.

7. Liability Insurance Seal from Exali AG

7.1 Description and Scope of Data Processing

This page uses an integration of the liability insurance seal from Exali AG. The graphic element of the seal is loaded from Exali AG servers. Due to the technical design of the internet, your IP address is processed to transmit the graphic to your browser. If you click on this seal, you will leave our site and be redirected to Exali AG servers. More information can be found in Exali's privacy policy: https://www.exali.de/Ueber-exali/Rechtliches/Datenschutzerklaerung,100401.php#Verwendung/Einbindung%20des%20exali.de-Haftpflicht-Siegels

7.2 Legal Basis for Data Processing

The legal basis for data processing is Art. 6 Para. 1 lit. f) GDPR (legitimate interest).

7.3 Purpose of Data Processing

The data processing serves the purpose of providing visually appealing proof of the legally required information regarding professional liability insurance according to § 2 Para. 11 DL-InfoV).

7.4 Legitimate Interest

Our legitimate interest in data processing arises from the purpose of providing an appealing online presence and fulfilling our information obligations in a visually appealing manner.