Privacy Notice

We, Site Cockpit GmbH, Engeldamm 20, 10179 Berlin, together with our subsidiaries (hereinafter jointly: "the Company", "we" or "us"), take the protection of your personal data seriously and would like to inform you here about data protection in our company. With the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR"), additional obligations have been imposed on us under our data protection responsibility to ensure the protection of personal data of the data subject (hereinafter also addressed as "customer", "user", "you" or "data subject"). Where we alone or jointly with others determine the purposes and means of data processing, this includes in particular the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (cf. Articles 13 and 14 GDPR). With this statement (hereinafter: "Privacy Notice") we inform you about how your personal data is processed by us.

A. General

(1) Definitions
Following Article 4 GDPR, the following definitions form the basis of this Privacy Notice:
– "Personal data" (Art. 4 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The means likely reasonably to be used to identify a person are also relevant. It does not matter in what form or on what medium the information is stored.
– "Processing" (Art. 4 2 GDPR) means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure or destruction.
– "Controller" (Art. 4 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
– "Processor" (Art. 4 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
– "Third party" (Art. 4 10 GDPR) means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
– "Consent" (Art. 4 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

(2) Name and Address of the Controller
The controller within the meaning of Art. 4 7 GDPR for the processing of your personal data is:
Site Cockpit GmbH Engeldamm 20 10179 Berlin Phone: +49(0)30 403 64 98 98 Email: kontakt@sitecockpit.com For further company details please refer to the imprint on our website at www.sitecockpit.com.

(3) Legal Bases for Data Processing
By law, any processing of personal data is prohibited unless and to the extent that one of the following legal bases applies:
– Art. 6 1 a GDPR (Consent): the data subject has given consent to the processing of their personal data for one or more specific purposes;
– Art. 6 1 b GDPR (Contract): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
– Art. 6 1 c GDPR (Legal obligation): processing is necessary for compliance with a legal obligation to which the controller is subject;
– Art. 6 1 d GDPR (Vital interests): processing is necessary in order to protect the vital interests of the data subject or another natural person;
– Art. 6 1 e GDPR (Public interest): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– Art. 6 1 f GDPR (Legitimate interests): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Storage of information on the data subject’s device or access to information already stored on the device is permitted only if one of the following legal bases under the German Telecommunications-Telemedia Data Protection Act (TTDSG) applies:
– Section 25 1 TTDSG: the data subject has given consent;
– Section 25 2 1 TTDSG: the sole purpose is the transmission of a communication over a public telecommunications network;
– Section 25 2 2 TTDSG: storage or access is strictly necessary to provide an expressly requested telemedia service.

(4) Data Deletion and Retention Periods
For each processing operation, we indicate below the retention period of personal data. If no specific period is stated, data will be erased or blocked as soon as the purpose of storage ceases to apply. Storage generally takes place on servers in Germany, subject to any transfers under A.(6) and A.(7).
Data may be retained beyond the stated period in the event of pending or imminent legal disputes or if otherwise required by statutory retention obligations (e.g. §§ 257 HGB, 147 AO). Once those obligations expire, data will be blocked or deleted unless further storage is necessary and legally permitted.

(5) Data Security
We employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties (e.g. TLS encryption on our website), taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the risks for data subjects. Our security measures are continually improved in line with technological developments.

(6) Cooperation with Processors
To conduct our business, we engage external service providers (e.g. in IT, logistics, telecommunications, sales, marketing). These providers act only on our instructions and are contractually bound to comply with data protection regulations in accordance with Art. 28 GDPR. Any transfer of personal data to our subsidiaries is based on corresponding processor agreements.

(7) Transfers to Third Countries
Your personal data may be transferred to recipients outside the European Economic Area (EEA) only to fulfill contractual and business obligations (legal basis Art. 6 1 b or f GDPR in conjunction with Art. 44 ff. GDPR). Transfers to countries with an adequacy decision by the European Commission take place on that basis. For other countries, we ensure adequate safeguards such as Binding Corporate Rules or EU Standard Contractual Clauses (Art. 46 GDPR).

(8) No Automated Decision-Making (Including Profiling)
We do not use personal data for automated decision-making or profiling.

(9) No Obligation to Provide Personal Data
Entering into contracts with us does not depend on providing personal data in advance. You are not legally or contractually obliged to provide data; however, without necessary data, certain services may be limited or unavailable. You will be informed separately if this applies.

(10) Legal Obligation to Disclose Data
We may be legally required to disclose your personal data to third parties, particularly public authorities (legal basis Art. 6 1 c GDPR).

(11) Your Rights
You have the following rights under the GDPR regarding your personal data: – Art. 15 GDPR: Right to access; – Art. 16 GDPR: Right to rectification; – Art. 17 GDPR: Right to erasure; – Art. 18 GDPR: Right to restriction of processing; – Art. 20 GDPR: Right to data portability; – Art. 21 GDPR: Right to object; – Art. 7 3 GDPR: Right to withdraw consent at any time; – Art. 77 GDPR: Right to lodge a complaint with a supervisory authority (e.g. Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin, mailbox@datenschutz-berlin.de). You may exercise these rights at any time using the contact details given under A.(2).

(12) Changes to This Privacy Notice
We regularly review our Privacy Notice to reflect legal, technical, or organizational changes. Updates are published on our website at www.sitecockpit.com. This Notice is current as of April 2025.

B. Website Visits

(1) Purpose
You can obtain information about our company and services via www.sitecockpit.com and its subpages ("Websites"). When you visit our Websites, personal data can be processed.

(2) Categories of Data Processed
– "Log Data": When you visit our Websites, a temporary and anonymized server log is created containing: referring URL, requested page name and URL, date/time, browser type/version, IP address (anonymized), data volume, operating system, status code, and timezone offset. – "Contact Form Data": Data you submit via contact forms (e.g. salutation, name, address, company, email, submission time). – "Newsletter Data": To send you our newsletter, we collect referring URL, date/time of signup, browser type, anonymized IP, email address, signup and confirmation timestamps. We use Web Beacons and tracking pixels to analyze user behavior, linking data pseudonymously to a unique ID. Links in the newsletter carry that ID for analytics only; they are not linked to personal data.

(3) Purpose and Legal Basis
We process the above data in accordance with GDPR and applicable laws: – Log Data: for statistical and website optimization purposes (legal basis Art. 6 1 f or a GDPR). – Contact Form Data: to handle inquiries (Art. 6 1 b or f GDPR). – Newsletter Data: to send newsletters based on your consent (Art. 6 1 a GDPR) via double opt-in; you can withdraw consent at any time by clicking the unsubscribe link or emailing kontakt@sitecockpit.com. Cookie-based processing also relies on Section 25 TTDSG as applicable.

(4) Retention
Your data is retained only as long as necessary for the processing purposes and legal obligations (see A.(4)). Third parties retain your data as needed to provide their services under contract with us.

(5) Disclosure to Third Parties
The following categories of recipients, typically processors, may gain access: – Service providers for website operation and data processing (Art. 6 1 b or f GDPR); – Public authorities as required by law (Art. 6 1 c GDPR); – Parties involved in business operations (auditors, banks, insurers, legal advisors) (Art. 6 1 b or f GDPR). For transfers to third countries, see A.(7). We only disclose data to others with your explicit consent (Art. 6 1 a GDPR).

(6) Use of Cookies, Plugins and Other Services

a) Cookies
We use cookies—small text files stored by your browser—to make our site more user-friendly and effective. Cookies cannot execute programs or transmit viruses. Types of cookies: – Technical Cookies: essential for site navigation and security; – Performance Cookies: anonymized usage statistics to improve the site; – Advertising/Targeting Cookies: for personalized ads, retained up to 13 months; – Sharing Cookies: to enhance integration with other services, retained up to 13 months. Strictly necessary cookies are permitted under Section 25 2 2 TTDSG. All other cookies require your explicit consent under Section 25 1 TTDSG in conjunction with Art. 6 1 a GDPR. We only share cookie data with third parties upon your consent.

b) Social Media Plugins
We do not use social media plugins. Any social media icons link passively to the respective providers’ pages.

C. Use of Payment Service Providers

(1) Stripe
We offer payment via Stripe, 510 Townsend St., San Francisco, CA 94103, based on our legitimate interest in providing a secure payment method (Art. 6 1 f GDPR). We share only the data required to process payments (cardholder name, email, customer and order numbers, bank details, card data, transaction date/time, amount, provider name, location). Without these data, Stripe cannot process your payment. As controller and processor, Stripe uses data to fulfill regulatory obligations (Art. 6 1 f GDPR) and execute contracts (Art. 6 1 b GDPR). We have no influence over Stripe’s internal processes. Stripe’s international data transfers are secured by EU Standard Contractual Clauses. For objection and deletion options, see https://stripe.com/de/legal/privacy-center. We retain data until payment processing, including refund handling, debt collection, and fraud prevention, is complete.

(2) PayPal
We offer payment via PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, under our legitimate interest in providing a secure payment method (Art. 6 1 f GDPR). We share only the data required to process payments (first name, last name, address, email, phone). Without these data, PayPal cannot process your payment. PayPal may perform credit checks when you use certain services; this is done under PayPal’s legitimate interest (Art. 6 1 f GDPR) and for contract execution (Art. 6 1 b GDPR). Data shared for credit checks (name, address, date of birth, bank details) are passed to credit agencies; we only receive approval or rejection. For objection and deletion options, see https://www.paypal.com/de/legalhub/paypal/privacy-full. Data are retained until payment processing, including refunds, debt collection, and fraud prevention, is complete.