Privacy Policy

Information according to GDPR, BDSG and TDDDG

Your privacy is important to us. Learn how we collect, use, and protect your personal data.

Introduction

We, innobu GmbH, located at Heidewinkel 1, 24955 Harrislee, Germany, take the protection of your personal data very seriously. This privacy policy describes how we collect, use and protect your data when you visit our website www.innobu.com. We comply with all relevant data protection laws, including the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG).

Data Controller

The data controller responsible for processing your personal data is:

innobu GmbH
Heidewinkel 1
24955 Harrislee
Germany
Email: info@innobu.com

Our data protection officer can be reached at info@innobu.com.

Data We Collect

When you visit our website, we may collect the following personal data:

  • Name
  • Email address
  • Company information
  • Phone number
  • Message content when using our contact form
  • Browsing data (e.g., IP address, browser type, device information and browsing behavior)
  • Cookie data
  • Location data

Automatic Data Collection

When you access our website, certain information is automatically collected by our servers and applications. This data includes:

  • IP address (anonymized)
  • Date and time of access
  • Name and URL of the accessed file
  • Website from which access was made (referrer URL)
  • Browser type and version
  • Operating system used

We collect this data to ensure the proper functioning of our website, improve the user experience, analyse trends and manage the website.

Purpose of Data Collection

We collect your personal data for the following purposes:

  • To provide and maintain our services: To respond to enquiries via our contact form, process requests and fulfil contractual obligations.
  • To analyse website traffic: We use Google Analytics to understand how visitors interact with our website, optimise the user experience and improve our online presence.
  • To ensure security: We process certain data to detect and prevent potential security threats and unauthorised access.
  • To fulfil legal obligations: We may process your data to comply with applicable laws and regulations.

Legal Basis for Processing

We process your personal data on the basis of the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR): When you accept cookies for analytics or provide your data for specific purposes (e.g. contact form).
  • Legitimate interests (Art. 6(1)(f) GDPR): For analytics, website functionality, security measures and business development activities.
  • Performance of a contract (Art. 6(1)(b) GDPR): For enquiries via the contact form or when providing services to you.
  • Legal obligation (Art. 6(1)(c) GDPR): Where we are required to process your data to comply with a legal obligation.

Data Transfers

Your data is primarily processed and stored within the European Union (EU) or the European Economic Area (EEA). However, some of our service providers may be based outside the EU/EEA. In such cases, we ensure that appropriate safeguards are in place to protect your data, such as:

  • EU Standard Contractual Clauses
  • Adequacy decisions of the European Commission
  • Binding Corporate Rules

We only transfer data to countries or organisations that provide an adequate level of data protection in accordance with GDPR standards.

Cookies and Analytics

We use cookies to improve the user experience and to analyse traffic via Google Analytics. Cookies are small text files stored on your device when you visit our website. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device for a set period).

Types of cookies we use

  • Essential cookies: These cookies are required for the basic functionality of our website and cannot be disabled.
  • Analytics cookies: We use Google Analytics to collect anonymous information about how visitors use our website. These cookies help us understand visitor patterns and improve our website.
  • Marketing cookies: These cookies are used to track visitors across websites so that we can display relevant advertising.

For more information about how Google Analytics handles your data, please refer to Google's privacy policy.

Google Analytics configuration

We have configured Google Analytics to anonymise IP addresses, respect Do-Not-Track signals and minimise data collection. The retention period for your data in Google Analytics is 14 months, after which it is automatically deleted.

Consent Management (CCM19)

We use the consent management service CCM19 to manage and store your cookie consent choices. CCM19 is a service provided by Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Germany.

When you visit our website, CCM19 records your consent decisions and stores them in a cookie (ccm_consent) so that your preferences are retained on future visits. Anonymised consent data is transmitted to CCM19's servers. All data is processed and stored exclusively on servers in Germany; no data is transferred to third countries.

Data processed: Anonymised consent signals (no personal data), technical metadata (browser type, consent timestamp).

Purpose: Obtaining verifiable and revocable cookie consent in accordance with GDPR and TDDDG; documentation of consents pursuant to Art. 7(1) GDPR.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to obtain and document consent) and Art. 6(1)(f) GDPR (legitimate interest in legally compliant consent management); § 25 TDDDG.

Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR has been concluded with Papoo Software & Media GmbH. For more information on data protection at CCM19, please visit www.ccm19.de.

Contact Form

When you contact us via the contact form, we process the data you enter (name, email address, message). Additionally, technical metadata such as the calling page (page_url), referrer (referrer) and your browser user agent (user_agent) may be transmitted to classify and answer your request.

Legal basis: Art. 6(1)(a) GDPR (consent) for the contact itself; where necessary for the initiation or performance of pre-contractual measures, additionally Art. 6(1)(b) GDPR.

Retention period: Data from the contact form is generally retained for 24 months (2 years) after the last contact and then deleted, provided no statutory retention obligations apply.

Recipients/processing: The data is stored and processed in a PostgreSQL database hosted by our data processor Supabase (EU region). Appropriate contractual and technical measures (including a data processing agreement) have been put in place.

Spam protection: To protect against abusive and automated submissions, we use, in addition to a minimum dwell time and a honeypot field, Google reCAPTCHA v3 (see next section).

Google reCAPTCHA v3

To protect our contact form from spam and abuse, we use reCAPTCHA v3, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. reCAPTCHA analyses user behaviour and generates a score that helps us identify automated requests.

For this purpose, Google may collect information about your device and your usage (e.g. IP address, mouse and keyboard interactions, dwell time, browser and device properties) and transmit it to Google servers. Data may be transferred to the USA. Google bases such transfers on, among other things, the EU–US Data Privacy Framework and appropriate safeguards (e.g. Standard Contractual Clauses).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting against spam and abuse). Where we load reCAPTCHA only after your consent, the legal basis is additionally Art. 6(1)(a) GDPR.

Note: This page is protected by reCAPTCHA; Google's Privacy Policy and Terms of Service apply. The reCAPTCHA token generated in the form is used exclusively server-side for verification and is not stored permanently; optionally, we log score/action/hostname in anonymised form for diagnostic and abuse-protection purposes.

Supabase (Storage and Processing of Form Data)

We store contact form submissions with Supabase (EU region). Supabase processes the data on our behalf in accordance with Art. 28 GDPR. We have concluded a data processing agreement with Supabase and ensure that data is processed within the EU.

For more information on data protection at Supabase, please visit supabase.com/privacy and for technical and organisational measures supabase.com/security.

Data Sharing

We share personal data only with the following parties:

  • Hosting provider: IONOS SE, which hosts our website and ensures its availability and security.
  • Analytics provider: Google Analytics, for analysing website usage.
  • Form service/backend: Supabase (EU region), for secure storage and processing of contact form submissions (data processing in accordance with Art. 28 GDPR).
  • Consent management: Papoo Software & Media GmbH (CCM19), for the legally compliant management and documentation of cookie consents (data processing in accordance with Art. 28 GDPR, hosted in Germany).
  • IT service providers: Technical service providers who assist us with the maintenance of our IT systems and the functionality of our website.

We do not share your data with other third parties unless we are legally required to do so or you have given us your explicit consent. We have concluded data processing agreements with all service providers to ensure the protection of your data.

Data Security

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access. These measures include:

  • SSL/TLS encryption for all data transfers
  • Regular security assessments and penetration tests
  • Access controls and authentication procedures
  • Employee training on data protection and security
  • Regular backups to prevent data loss

We regularly review and update our security measures to ensure the ongoing protection of your data.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You may request information about your personal data.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data.
  • Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw your consent at any time.

To exercise any of these rights, please contact us at datenschutz@innobu.com. We will respond to your request within one month.

Right to Lodge a Complaint

You also have the right to lodge a complaint with your local data protection authority. In Germany, the responsible authority is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Independent Centre for Privacy Protection Schleswig-Holstein)
Holstenstraße 98
24103 Kiel
Website: www.datenschutzzentrum.de

Data Retention

We do not retain your personal data for longer than is necessary for the purposes for which it was collected. The criteria we use to determine our retention periods include:

  • The period required to fulfil the purposes set out in this privacy policy
  • Legal obligations that require data to be retained for specific periods
  • Limitation periods for legal claims
  • Business requirements

Specific retention periods:

  • Contact form data: 2 years after last contact
  • Analytics data: 14 months
  • Log files: 7 days

Once the purpose for which the data was collected no longer applies, your data will be deleted or anonymised, unless a statutory or regulatory retention obligation applies.

Protection of Minors

Our services are not intended for persons under the age of 18. We do not knowingly collect personal data from children under the age of 18. If we discover that we have collected personal data from a child under the age of 18 without verifying parental consent, we will take steps to remove that information from our servers.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by publishing the updated privacy policy on this page and updating the date of last revision at the top of the page.

We recommend that you review this privacy policy periodically for any changes. Changes to this privacy policy take effect upon their publication on this page.

Contact

If you have any questions about this privacy policy or our data practices, please contact:

innobu GmbH
Attn: Data Protection
Heidewinkel 1
24955 Harrislee
Germany
Email: datenschutz@innobu.com