Privacy Policy

Lawfulness (Art. 5 Para. 1 lit. a, Art. 6 GDPR)

We process personal data exclusively on a legal basis (in particular contract/contract performance, consent, legitimate interests, legal obligations). For consent, we inform in advance, document consent verifiably (timestamp/scope) and enable withdrawal at any time with future effect.

Purpose Limitation (Art. 5 Para. 1 lit. b)

Data is only processed for clearly defined, legitimate purposes (e.g., website provision, contact form processing, support communication). We examine purpose changes according to Art. 6 Para. 4 GDPR (compatibility test).

Transparency (Art. 5 Para. 1 lit. a, Art. 12–14)

We inform clearly and understandably about purposes, legal bases, retention periods, recipients, third country transfers, rights of data subjects as well as about the voluntary/mandatory nature of providing data. Changes to this declaration are versioned and published on the website.

Data Minimization (Art. 5 Para. 1 lit. c)

We only collect data that is necessary for the respective function. The website deliberately refrains from tracking/analytics and marketing cookies. Only technically necessary data is processed.

Storage Limitation (Art. 5 Para. 1 lit. e)

We store data only as long as necessary for the purposes or as long as legal obligations exist. Specific deadlines and deletion concepts are described in Chapter 10.

Accuracy Principle (Art. 5 Para. 1 lit. d)

We take appropriate measures to ensure that stored data is factually correct and up-to-date. Corrections are made upon request.

Protection Goals (Art. 5 Para. 1 lit. f, Art. 32)

We ensure confidentiality, integrity, availability and resilience of systems.

Technical and Organizational Measures (TOMs)

Encryption in transit (TLS), server-side security, access controls (Least Privilege), logging/audit, server hardening/firewalls, backup/recovery concepts, incident response procedures including notifications according to Art. 33/34 GDPR. Details in Chapter 11.

Confidentiality on the Website

No disclosure of contact data without express consent. Minimal data processing through deliberate avoidance of tracking.

Access by Third Parties

Processors act under instruction based on Art. 28 GDPR and corresponding agreements; sub-processors are included under controlled conditions (see Chapters 8–9).

By Design (Art. 25 Para. 1)

The website is designed to process as little personal data as possible (no tracking, minimal log files, deliberate avoidance of analytics).

By Default (Art. 25 Para. 2)

Privacy-friendly default settings: No tracking activated, no marketing cookies, no analytics, minimal server logs.

Accountability (Art. 5 Para. 2)

We document processing (register according to Art. 30), control legal bases/consent, check DPIA when necessary (Art. 35) and train processes for data subject rights, deletions and incidents.

6.1.1 Processed Protocol Data (typical)

• IP address of the requesting device
• Date and time of access (timestamp)
• Retrieved resource/URL, HTTP method (e.g., GET/POST)
• Status code (e.g., 200, 404, 500), transmitted data volume
• Referrer URL (the previously visited page, if transmitted by browser)
• User agent (browser/OS type and version, device type)
• Error/diagnostic entries in error logs (e.g., stack traces for server errors)
• Server-side protection signals (e.g., rate limit hits, firewall events, bot/spam indicators)

• No content analysis: No analysis of the contents of your inputs for marketing/profiling purposes.
• No merging with other data sources (e.g., app usage data).

6.1.2 Purposes of Processing

• Operation & functionality of the website, delivery of content
• Security/defense against attacks, abuse and fraud prevention (e.g., DDoS detection, bot defense, firewall rules)
• Error analysis & stability, performance monitoring, capacity planning
• Traceability for technical failures and illegal access

6.1.3 Legal Bases

• Art. 6 Para. 1 lit. f GDPR (legitimate interest) – secure, stable website operation and defense against attacks
• Art. 6 Para. 1 lit. c GDPR (legal obligation) – if and to the extent we are legally obliged to provide or maintain data on order (e.g., in the context of investigations)

6.1.4 Retention Period & Deletion

• Access/access logs: short-term retention for technical operation (usually 7–14 days).
• Error logs/security events: Storage until incident resolution/clarification; temporary extension may be necessary for security incidents.
• Then deletion or anonymization (e.g., IP address shortening).

Specific deadlines depend on technical necessity in hosting operations; no long-term retention for marketing purposes.

6.1.5 Recipients & Data Processing

• Hosting/operating service providers (data center/managed hosting) as processors according to Art. 28 GDPR – processing strictly purpose-bound according to instruction.
• IT security service providers (if involved) in the context of fault/incident analyses – also commissioned processing.
• Authorities/law enforcement – only within the legally prescribed framework and with corresponding obligation.

6.1.6 Separation from Other Data / No Profiling

• Server log files are kept separate from other user-related data (e.g., contact form data, see 6.2).
• No profiling, no cross-site tracking, no marketing/analysis purposes.

6.1.7 Security of Processing

• TLS encryption (HTTPS) for transport paths
• Hardening & firewalling at server/application level, rate limiting, bot/spam protection
• Access/role principle (need-to-know), administration access logged
• Regular updates/patches (website, server stack)

In connection with section 6.4 (Cookies & Tracking) we confirm that no analytics/marketing cookies are set and no third-party trackers are loaded.

6.2.1 Functional Description (Website)

• Contact form: Transmission of form fields to the web server; immediate forwarding as email to our target mailboxes.
• No ticket system: No separate helpdesk exists; processes are handled as emails.
• No DB storage: Form contents are not persistently stored on the website (except short-term technical buffer storage/error queues, if necessary).

6.2.2 Processed Data (Contents)

• Required/voluntary fields (form-dependent): Name (optional), email address, subject, message; optional phone number/attachment, if provided.
• Metadata: Sending/receiving time, technical headers (message ID, routing), delivery status.
• Server logs (see 6.1): Time, IP, user agent only in the context of website access (operation/security).

Please no sensitive content: Do not transmit special categories of personal data (Art. 9 GDPR) via the form/email, unless this is necessary and expressly desired (see 6.2.9).

6.2.3 Purposes

• Processing your inquiry, follow-up questions and communication.
• Evidence and documentation of case processing, as required.
• Ensuring deliverability/error analysis (ProtonMail sending logs).

6.2.4 Legal Bases

• Art. 6 Para. 1 lit. b GDPR (contract/initiation), if the inquiry relates to contractual reference/use.
• Art. 6 Para. 1 lit. f GDPR (legitimate interest) for general communication, support organization as well as IT security/deliverability (minimal protocols).
• Art. 6 Para. 1 lit. c GDPR (legal obligation), if retention/evidence is legally required (only to the extent personal).
• Art. 6 Para. 1 lit. a in conjunction with Art. 9 Para. 2 lit. a GDPR for voluntary transmission of sensitive data (explicit consent required).

6.2.5 Recipients / Processors

• ProtonMail (Proton AG, Switzerland) – for email sending of the form (adequate data protection level according to Art. 45 GDPR; no planned third country transfer).
• Mail providers/mail clients – delivery/pickup of emails (transport TLS).
• No disclosure for advertising/analysis purposes; no other third parties, except when legally obliged (authorities/law enforcement).

6.2.6 Retention Period & Deletion

• Email mailbox: No automatic deletion; manual deletion after problem resolution.
• ProtonMail sending logs: According to ProtonMail policies (see privacy policy of Proton AG).
• Legal/evidence obligations: As applicable (e.g., correspondence with contractual reference), retention according to legal deadlines; otherwise deletion after purpose achievement.

6.2.7 Security

• Transport encryption: Form → Server → ProtonMail → Target mailbox via TLS/end-to-end encryption.
• Spam/abuse protection: Validations/CSRF protection (without tracking); no marketing pixels.
• Access protection: Access only for authorized persons (need-to-know), administration access logged; strong passwords/MFA.

6.2.8 Voluntary Nature & Consequences of Non-Provision

• Providing your email address and a message is required for processing. Without sufficient information, meaningful feedback may not be possible.
• Alternatives: Direct sending by email or post (see contacts in section 2.2).

6.2.9 Special Categories (Art. 9 GDPR)

• Please no sensitive data (e.g., health data) via form/email transmission.
• If this is exceptionally necessary, processing takes place only with your explicit consent solely for the purpose of handling the request; then deletion, unless mandatory reasons prevent it.

6.2.10 Transparency Notes (References)

• ProtonMail (data processing in Switzerland; adequate data protection level): Further information at https://proton.me/legal/privacy
• Email security: Emails are end-to-end encrypted by ProtonMail. Additional PGP/SMIME encryption possible if you send particularly sensitive content.

6.3.1 Status

• No registration for visitors is provided on the website.
• No user accounts for website functions (e.g., comments, shop, customer area) are offered.
• No user-relevant data processing for website logins is implemented.

6.3.2 Current Data Processing

• Since no registration on the website is possible, no corresponding processing (collection, storage or use of registration data) takes place.
• No passwords, no user profiles and no social logins are processed on the website.

6.3.3 Outlook (if activated in the future)

Should optional website registration be introduced in the future (e.g., for support portal, customer area, training material), corresponding data protection principles apply – only from activation. Before the start, we will update this privacy policy and – if necessary – obtain consent.

6.4.1 Usage Overview

• No tracking/analysis cookies, no marketing/retargeting cookies, no third-party pixels.
• Technically necessary cookies (e.g., session, CSRF/security tokens, language settings).
• No consent management required, as no optional tracking categories are active.

6.4.2 Technically Necessary Cookies (Examples)

• Session/security cookies: for page delivery, session control, CSRF protection.
• Language setting cookie: stores your chosen language (German/English).
• Properties: purely functional, no tracking across websites, no profiling.

6.4.3 No Statistics/Marketing Cookies

• No services like Google Analytics, Facebook Pixel, Hotjar or similar are loaded.
• External content/fonts are self-hosted to avoid additional tracking cookies.
• For future introduction of optional services: 1. Update of this privacy policy, 2. Obtaining consent via appropriate consent management.

6.4.4 Legal Bases

• Technically necessary cookies: Art. 6 Para. 1 lit. f GDPR (legitimate interest in secure, functional operation).
• Optional categories (currently none active): would be set exclusively on the basis of Art. 6 Para. 1 lit. a GDPR (consent).

6.4.5 Control & Browser Settings

• Browser settings: You can delete/block cookies at browser level.
• Consequences: If all cookies are blocked, certain website functions (e.g., language settings) may no longer work.
• The website remains basically usable even without cookies.

6.4.6 Retention Periods & Deletion

• Session cookies: Session-based (until browser closure).
• Language setting cookie: 30 days, then automatic deletion.
• Early deletion: possible at any time through browser settings.

Transparency & Proof

Consent is clearly explained, obtained per purpose and logged (time, scope). For optional services, appropriate consent management is used.

Withdrawal

possible at any time with future effect – via website settings (if future optional services are offered), as well as via browser settings (cookies).

Consequences of Withdrawal

Website functionality basically remains intact; the respective affected optional function (e.g., extended analytics, marketing tools) is no longer used.

Additionally (Germany/ePrivacy): § 25 TTDSG

• For storing/reading information on end devices (e.g., cookies, tracking IDs) – outside technically necessary cases – prior consent is generally required.
• Our use: only technically necessary cookies (session, language settings), no statistics/marketing cookies (6.4).

Principle

We do not process special categories (Art. 9 Para. 1 GDPR) except when you voluntarily transmit them in contact forms or emails (e.g., health data for support-relevant inquiries).

Legal Basis

Art. 9 Para. 2 lit. a GDPR (explicit consent), given by your voluntary disclosure; the data is used exclusively for processing your inquiry.

Processing

• No systematic collection of sensitive data.
• No transmission of such content to third parties without explicit consent.
• No processing for medical purposes, no profiling based on sensitive data.
• Deletion after purpose achievement (processing of inquiry), unless legal retention obligations exist.

Application Process (only if used, see 15)

If applicants voluntarily provide sensitive information, processing also only according to Art. 9 Para. 2 lit. a GDPR; additionally § 26 BDSG (Germany) for employee data.

8.1.1 Role, Contract & Scope

• Role: ProtonMail processes email communication as its own controller for the email infrastructure. We use ProtonMail for business communication and contact form forwarding.
• Contractual basis: Usage agreement with Proton AG including their privacy policy and terms of service.
• Instruction binding: ProtonMail acts as an independent email provider, not as a processor in the classic sense.

8.1.2 Processing Subject & Data Categories

• Content data: Email contents from contact form submissions (name optional, email address, subject, message).
• Communication data: Email correspondence between us and website visitors.
• Metadata: Email headers, timestamps, routing information.
• Account data: Our business email addresses and account information.

8.1.3 Purposes of Processing

• Provision of email infrastructure for business communication.
• Forwarding and storage of contact form inquiries.
• Enabling secure, encrypted email communication.
• Operational security and spam/abuse protection at email level.

8.1.4 Legal Bases

• Art. 6 Para. 1 lit. b GDPR (contract/initiation) for processing contact inquiries.
• Art. 6 Para. 1 lit. f GDPR (legitimate interest) for secure business communication and IT security.
• Art. 6 Para. 1 lit. c GDPR (legal obligation) to the extent retention/evidence is legally required.

8.1.5 Location & International Transfers

• Primary processing location: Switzerland (Proton AG, Geneva).
• Legal status: Switzerland has an EU adequacy decision according to Art. 45 GDPR.
• No planned third country transfers outside the adequate data protection level.
• Server locations: Exclusively in Switzerland (no cloud providers in third countries).

8.1.6 Technical & Organizational Measures (TOMs)

• End-to-end encryption: All emails are automatically encrypted.
• Zero-access architecture: ProtonMail cannot view email contents in plain text.
• Transport encryption: TLS for all connections.
• Server security: Physical security in Swiss data centers, access control, monitoring.
• Compliance: SOC 2 Type II, ISO 27001 certifications.

8.1.7 Retention Periods & Deletion

• Email mailbox: No automatic deletion by ProtonMail; manual management by us.
• Our deletion practice: Emails are deleted after purpose achievement (processing of inquiry), at latest after 2 years.
• Legal retention: To the extent commercial/tax law retention obligations exist.
• ProtonMail logs: Minimal connection logs for security purposes, limited retention.

8.1.8 Data Subject Rights & Transparency

• Access/deletion/rectification: Requests are processed directly by us.
• ProtonMail support: For technical questions about email infrastructure.
• Transparency: Complete information in ProtonMail privacy policy.
• Complaint right: With ProtonMail data protection officer or Swiss supervisory authority.

8.1.9 Special Notes & Controls

• High security: End-to-end encryption and zero-access architecture provide additional protection.
• Voluntary nature: Use of contact form is voluntary; alternative contact methods available.
• No marketing use: Email addresses are not used for newsletters/marketing.
• PGP support: Additional encryption for particularly sensitive content possible.

8.1.10 References & Further Information

• ProtonMail Privacy Policy: https://proton.me/legal/privacy
• ProtonMail Transparency Report: https://proton.me/legal/transparency
• Swiss Data Protection Law: https://www.edoeb.admin.ch/

8.2.1 Role & Scope

• Role: The hosting provider processes technical data as a processor according to Art. 28 GDPR.
• Scope: Provision of server infrastructure for impressum.gobbltech.com.
• Contractual basis: Data processing agreement (DPA) with corresponding technical and organizational measures.

8.2.2 Processed Data Categories

• Server log files: IP addresses, timestamps, accessed URLs, HTTP status codes.
• Technical metadata: User agent, referrer, transmitted data volume.
• Security logs: Firewall events, attack detection, rate limiting data.
• Performance data: Loading times, server utilization (anonymized).

8.2.3 Purposes & Legal Bases

• Purposes: Website provision, technical operation, security, error analysis.
• Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in secure website operation).
• Balancing of interests: Technical necessity outweighs minimally invasive data processing.

8.2.4 Technical & Organizational Measures

• Encryption: TLS 1.3 for all connections, encrypted storage.
• Access control: Role principle, multi-factor authentication, audit logs.
• Network security: Firewalls, DDoS protection, intrusion detection.
• Backup & Recovery: Encrypted backups, disaster recovery plans.
• Compliance: ISO 27001, SOC 2 or comparable certifications.

8.2.5 Retention Periods & Deletion

• Access logs: 7-14 days for technical operation.
• Security logs: Until resolution of security incidents.
• Error logs: Until problem resolution, maximum 30 days.
• Automatic deletion: After expiration of technical retention periods.

8.2.6 Location & Data Protection Level

• Server location: European Union (Germany/France/Netherlands).
• No third country transfer: All data remains in the EU.
• GDPR compliance: Full compliance with European data protection standards.

8.3.1 Content Delivery Network (CDN) - if used

• Purpose: Acceleration of website delivery through geographically distributed servers.
• Data processing: Anonymized performance data, no tracking cookies.
• Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in performance).
• Location: Only EU-based CDN providers with GDPR compliance.

8.3.2 SSL Certificate Provider

• Purpose: Provision and management of SSL/TLS certificates.
• Data processing: Domain validation, technical metadata.
• Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in security).
• Typical providers: Let's Encrypt, DigiCert (with corresponding guarantees).

8.3.3 Domain Registrar

• Purpose: Registration and management of the domain gobbltech.com.
• Data processing: WHOIS data, technical DNS management.
• Legal basis: Art. 6 Para. 1 lit. c GDPR (legal obligation for domain registration).
• Data protection: WHOIS privacy protection activated for personal data.

Primary Processing

The main processing (website hosting, server logs, contact form) takes place exclusively in the European Union.

Minimal International Transfers

Only email communication via ProtonMail takes place in Switzerland, which has an EU adequacy decision.

No Tracking Transfers

Since we deliberately refrain from tracking, analytics and marketing tools, the typical third country transfers to US tech companies are eliminated.

Adequate Data Protection Level

Switzerland has an EU adequacy decision according to Art. 45 GDPR. Transfers to ProtonMail (Proton AG, Switzerland) are therefore permissible without additional guarantees.

Transferred Data Categories

Email contents from contact form submissions and business correspondence.

Additional Protection

ProtonMail offers end-to-end encryption and zero-access architecture, achieving a data protection level that exceeds GDPR minimum requirements.

Legal Framework

Swiss data protection law (nDSG) provides a protection level comparable to GDPR. ProtonMail is also subject to strict Swiss privacy protection laws.

Server Locations

All website servers are located in the European Union (Germany/France/Netherlands).

Data Residency

Website data (server logs, technical data, temporary files) remains completely in the EU.

No Third Country Transfers

For website operation, no transfers to countries outside the EU/EEA occur.

EU Compliance

All hosting service providers are fully GDPR compliant and subject to European data protection law.

Assessment Framework

Should services with international data transfers be introduced in the future, an adequacy assessment and transfer impact assessment will be conducted in advance.

Protection Mechanisms

• EU adequacy decisions (Art. 45 GDPR) for countries with comparable data protection level
• EU Standard Contractual Clauses (SCC) according to Art. 46 lit. c GDPR
• EU-US Data Privacy Framework (DPF) for certified US providers
• Additional technical/organizational measures (TOMs) as safeguards

Technical Safeguards

• End-to-end encryption during data transmission
• Encryption of data at rest
• Pseudonymization and data minimization
• EU proxy architectures for IP shielding
• Strong authentication and access control

No US Tech Giants

Deliberate renunciation of Google Analytics, Facebook Pixel, Amazon Web Services and similar services that regularly lead to problematic third country transfers.

No Tracking Networks

No integration of advertising networks, social media plugins or marketing tools with international data flows.

Self-Hosting Approach

Fonts, JavaScript libraries and CSS frameworks are self-hosted to avoid external dependencies and unwanted data transfers.

Privacy by Design

Architectural decisions follow the principle of data minimization and consider international data protection risks from the beginning.

Information Rights

You have the right to be informed about all international transfers of your data (Art. 13, 14 GDPR).

Right to Object

For transfers based on legitimate interests, you can object to the processing (Art. 21 GDPR).

Withdrawal of Consent

Should future optional services with third country transfer based on consent be offered, you can withdraw this at any time.

Right to Complain

For concerns about international data transfers, you can contact the competent data protection supervisory authority (see section 2.5).

Legal Development

We actively monitor changes in international data protection law and adapt our practice accordingly.

Adequacy Decisions

Changes in EU adequacy decisions (e.g., for Switzerland, UK) are considered and documented.

Documentation

This privacy policy is updated promptly when international data flows change.

Transparency Commitment

Significant changes in international transfers are proactively communicated.

Access Logs

IP addresses, timestamps, accessed URLs, HTTP status codes, user agent, referrer

Retention period: 7-14 days for technical operation

Purpose: Website functionality, performance monitoring

Automatic deletion after expiration of retention period

Error Logs

Server errors, application errors, debugging information

Retention period: Until problem resolution, maximum 30 days

Purpose: Error analysis, stability improvement

Manual deletion after problem resolution or automatically after 30 days

Security Logs

Firewall events, attack detection, rate limiting data, bot detection

Retention period: Until resolution/clarification of security incident

Purpose: IT security, attack defense, incident response

Deletion after incident clarification, max. 90 days for longer investigations

Contact Form Data

Name (optional), email address, subject, message content

Retention period: Processing of inquiry + 2 years

Purpose: Request processing, traceability

Manual deletion after purpose achievement, at latest after 2 years

Email Correspondence (ProtonMail)

Business email communication, support inquiries

Retention period: No automatic deletion in ProtonMail

Purpose: Business communication, support, documentation

Manual management: Deletion after problem resolution or inactivity

Legal Retention Obligations

Business correspondence with contractual reference or tax relevance

Retention period: According to commercial/tax law provisions (6-10 years)

Purpose: Compliance, evidence and documentation obligations

Automatic deletion after expiration of legal deadlines

Session Cookies (technically necessary)

Session ID, CSRF tokens, temporary security data

Retention period: Until browser closure (session-based)

Purpose: Security, session control, CSRF protection

Automatic deletion when browser closes

Language Setting Cookie

Selected language (German/English)

Retention period: 30 days

Purpose: User friendliness, language persistence

Automatic deletion after 30 days or manually via browser settings

No Tracking Cookies

We deliberately do not use analytics, marketing or tracking cookies

Retention period: Not applicable

Purpose: Privacy-friendly website operation

Not required

Server-side Cache

Cached website content, CSS, JavaScript, images

Retention period: After update/deployment or maximum 7 days

Purpose: Performance optimization, faster loading times

Automatic update when content changes

Temporary Processing Files

Upload buffers, processing queues, temporary configuration files

Retention period: Few minutes to hours

Purpose: Technical processing, error handling

Automatic cleanup after processing end

Website Backups

Complete website snapshots (code, configuration, content)

Retention period: 30 days (daily), 12 months (weekly)

Purpose: Disaster recovery, data protection in case of system failure

Rotation-based deletion according to backup scheme

Database Backups (if present)

Structural database snapshots (no user data on this website)

Retention period: 7 days (point-in-time recovery)

Purpose: Data loss prevention, fast recovery

Overwriting in rotation cycle after 7 days

Backup Security

All backups are encrypted and access-restricted

Retention period: According to respective backup category

Purpose: Protection against unauthorized access to backup data

Secure deletion with overwriting of encryption keys

Log Rotation

Automatic deletion of old log files after defined periods

Daily at 2:00 AM (server time)

• Access logs: 14 days
• Error logs: 30 days
• Security logs: 90 days (for active incidents)

Cache Cleanup

Automatic deletion of outdated cache files

Every 6 hours

• Page cache: 7 days
• Asset cache: After deployment
• Temporary files: 24 hours

Session Cleanup

Automatic deletion of expired session data

Every 2 hours

• Active sessions: 24 hours without activity
• Expired sessions: Immediate deletion
• Orphaned session files: 48 hours

Data Subject Requests (Art. 17 GDPR)

Manual processing of deletion requests

Processing within 30 days after request

• Email correspondence from ProtonMail mailbox
• Contact form-related data
• All data linked to the person

Written confirmation of performed deletion

Regular Retention Review

Quarterly review of stored data

Every 3 months

• Identification of no longer needed data
• Review of retention periods
• Proactive deletion of outdated data
• Documentation of deletion activities

Emergency Deletions

Immediate deletion for security incidents or legal requirements

Within 24 hours

Complete documentation with timestamp and justification

GDPR Principles

• Art. 5 Para. 1 lit. c GDPR (data minimization)
• Art. 5 Para. 1 lit. e GDPR (storage limitation)
• Art. 17 GDPR (right to erasure)
• Art. 32 GDPR (security of processing)

Technical Necessity

Art. 6 Para. 1 lit. f GDPR (legitimate interest)

Secure website operation, error analysis, IT security

Legal Retention Obligations

Art. 6 Para. 1 lit. c GDPR (legal obligation)

• Commercial law retention (HGB): 6-10 years
• Tax law retention (AO): 10 years
• Documentation obligations for consent: Duration of processing + 3 years

Access and Role Controls

• Clear roles and responsibilities: Least privilege principle for all system access
• Administrator access: Only for few authorized persons according to need-to-know principle
• Regular rights review: Quarterly review and recertification of permissions
• Immediate rights withdrawal: Upon role change or departure of persons

Data Processing and Minimization

• Data minimization: Collection and storage of only necessary data
• No sensitive data: Deliberate renunciation of collecting special categories
• Separation of data types: Server logs separate from contact data
• Classification: Clear categorization by sensitivity and protection requirement

Data Processing and Suppliers

• Data processing agreements (DPA): With all external service providers according to Art. 28 GDPR
• Careful vendor selection: Preference for EU-based providers with high data protection standards
• Sub-processor control: Approval and monitoring of subcontractors
• Regular compliance review: Verification of contract compliance

Policies and Training

• Security policies: Documented procedures for data protection and IT security
• Regular training: Awareness of phishing, password security, data protection
• Change management: Code reviews and controlled deployment processes
• Incident management: Documented procedures for security incidents and breach notifications

TLS Encryption

• HTTPS throughout: All connections to the website exclusively via TLS 1.3
• HSTS (HTTP Strict Transport Security): Enforced HTTPS usage via browser policy
• Secure cipher suites: Only modern, strong encryption algorithms
• Perfect Forward Secrecy (PFS): Protection even if long-term keys are compromised

Certificate Management

• Valid SSL certificates: Automatic renewal via Let's Encrypt or commercial CA
• Certificate Transparency: Monitoring of issued certificates via CT logs
• OCSP Stapling: Efficient certificate status checking
• Secure configuration: Only supported TLS versions and methods

Network Security

• Firewall protection: Web Application Firewall (WAF) against common attacks
• Rate limiting: Protection against DDoS and brute force attacks
• IP filtering: Geographic and known threat IP blocking
• Intrusion detection: Automatic detection of anomalous network activities

Server-side Encryption

• Disk encryption: AES-256 encryption for all storage media
• Database encryption: Encryption of data at rest at DB level
• Secure key management: Separate storage and rotation of encryption keys
• Temporary files: Encryption also for cache and temporary processing files

Backup Security

• Encrypted backups: End-to-end encryption of all backup data
• Geographic redundancy: Backups at least at two physically separate locations
• Secure transmission: Encrypted connections for backup transfer
• Access control: Strictly limited and logged backup access

Password and Authentication Security

• Strong hashing procedures: bcrypt or Argon2 for all stored passwords
• Salt procedures: Individual salts for each password hash
• No plaintext storage: Never passwords stored in plaintext
• Secure session management: Cryptographically strong session tokens

Administrative Access

• Multi-factor authentication (MFA): Mandatory for all admin accounts
• Strong password policies: At least 12 characters, complexity requirements
• IP restrictions: Admin access only from authorized IP ranges
• Session timeouts: Automatic logout on inactivity

User Authentication

• Secure session cookies: HttpOnly, Secure, SameSite attributes
• CSRF protection: Token-based protection against Cross-Site Request Forgery
• Brute force protection: Account lockout after multiple failed attempts
• Login logging: Monitoring of suspicious login attempts

Rights Management

• Principle of Least Privilege: Minimal required rights for each access
• Role-based access control: Clearly defined roles and permissions
• Regular access reviews: Quarterly review of all permissions
• Immediate deactivation: Upon suspicion of compromise or role change

System Monitoring

• 24/7 monitoring: Continuous monitoring of all critical systems
• Performance monitoring: Monitoring of loading times and system utilization
• Availability checks: Automatic detection of failures and disruptions
• Capacity planning: Proactive planning for load peaks and growth

Security Monitoring

• Intrusion Detection System (IDS): Automatic detection of attack attempts
• Log analysis: Continuous evaluation of security logs
• Anomaly detection: Automatic identification of unusual activities
• Threat intelligence: Integration of current threat information

Maintenance and Updates

• Regular security updates: Timely installation of critical patches
• Vulnerability management: Systematic assessment and remediation of vulnerabilities
• Change management: Controlled and documented system changes
• Rollback procedures: Fast recovery for faulty updates

Detection and Assessment

• Continuous monitoring: 24/7 monitoring of security-relevant events
• Automatic alerting: Immediate notification for critical events
• Incident classification: Assessment by severity and impact
• Escalation procedures: Clear responsibilities and communication paths

Containment and Analysis

• Immediate isolation: Separation of affected systems from network
• Evidence preservation: Forensic securing of relevant logs and system states
• Root cause analysis: Systematic cause investigation
• Damage assessment: Estimation of impact on personal data

Notification Procedures (Art. 33/34 GDPR)

• Supervisory authority (Art. 33): Notification within 72 hours of knowledge
• Data subjects (Art. 34): Immediate information for high risk
• Documentation: Complete recording in data protection breach register
• Follow-up: Continuous updates on measures and progress

Recovery and Improvement

• System recovery: Controlled recommissioning after cleanup
• Lessons learned: Analysis and documentation of gained insights
• TOM adaptation: Improvement of security measures based on incidents
• Training adaptation: Update of trainings and processes

Legal Compliance

• GDPR conformity: Full compliance with all GDPR requirements
• BDSG compliance: Observance of national data protection provisions
• TTDSG conformity: Compliance with the Telecommunications-Telemedia Data Protection Act
• TMG compliance: Observance of telemedia law provisions

Technical Standards

• ISO 27001: Orientation to international IT security standard
• BSI IT-Grundschutz: Observance of German IT security recommendations
• OWASP Top 10: Protection against the most common web application risks
• Common Criteria: Consideration of security criteria in system design

Regular Assessments

• Annual security audit: Comprehensive review of all security measures
• Vulnerability assessments: Quarterly vulnerability scans
• Penetration testing: Annual external security tests
• Data protection impact assessment: For significant system changes

Contact Data

Communication of correct data by email or contact form

Rectification immediately after verification

Email Correspondence

Correction or completion of existing email communication

Original emails may be kept for traceability

Email Data

Deletion from ProtonMail mailbox and all local storage

Immediately after confirmation of authorization

Contact Form Data

Deletion of all stored form inputs and metadata

Backups are overwritten in the next rotation cycle

Server Logs

Deletion of IP address-related entries where technically possible

Alternative: Anonymization through IP shortening

Available Formats

• CSV for structured data
• PDF for email correspondence
• JSON for machine-readable formats

Direct Transmission

Where technically feasible and proportionate

Considering the rights of third parties

Server Logs

Processing based on legitimate interests (IT security)

Balancing between your rights and our security interest

Possible anonymization instead of complete cessation

No Direct Marketing

This website does not engage in direct marketing or marketing emails

Therefore this aspect of the right to object is not applicable

Contact Form/Email Data

Complete access to stored correspondence

Rectification through new email with correct data

Deletion from mailbox and all backups

Server Logs

Information about IP-related entries (where assignable)

Deletion or anonymization of IP-related data

Technical limits for already anonymized logs

Upon knowledge of data processing of minors:

• Immediate contact to clarify circumstances
• Cessation of further data processing for this person
• Review of deletion of stored data
• Information to legal guardians (if contactable)

Deletion of minor data:

Immediate deletion of all stored data, unless legal retention obligations prevent it

Email correspondence, contact form data, server logs (where assignable)

Representation Authority

Legal guardians can exercise all data subject rights for their minor children.

We verify representation authority before providing information or taking measures.

Exercisable rights:

• Access to processed data of the child
• Rectification of incorrect data
• Erasure of the child's data
• Restriction of processing
• Objection to processing

Contact procedure:

Requests by email to gobbltech@proton.me

Subject: "Minor - Data Protection Request"

Proof of guardianship and identification of the affected child

Website Design

• Business/professional orientation of content
• No playful or child-appealing elements
• Clear identification as business website
• Focus on business contact

Technical Measures

• No tracking or profiling that could affect children
• Minimal data collection generally
• Secure data processing and storage
• Regular review of data holdings

Contact Requests

All requests via contact form or email are processed by humans

Individual review and response at discretion

Support Cases

Technical or data protection requests are processed manually and individually

No automated responses or decisions

Email Application

TLS encryption during transport between mail servers

For sensitive content we recommend PGP encryption or postal delivery

Contact Form

HTTPS/TLS encryption to the website

Forwarding as encrypted email to our mailbox

Postal Delivery

To the address in section 2.2

Secure physical storage

Unsuccessful applications:

Deletion after 6 months from end of procedure

Answering follow-up questions and legal protection (AGG)

Legal retention obligations remain unaffected

Talent pool (only with consent):

Longer retention only with separate, voluntary consent

Retention for up to 12 months

Withdrawal possible at any time with immediate deletion

Successful applications:

Transfer to personnel file

Separate data protection information for employees

Website Publication

Updated privacy policy will be published on the website

Always current version at: https://impressum.gobbltech.com/privacy

Clear indication of effective date and version number

Significant Changes

For material changes affecting your rights, we will inform you proactively

Via email (if we have your contact data) or prominent website notice

Reasonable advance notice before changes take effect

Version Numbers

Each version receives a clear version number and date

Summary of material changes in each version

Previous versions documented for transparency

Effective Dates

New version applies immediately to new website visitors

Reasonable transition period for existing data processing relationships

New consent required for material expansions of processing

Right to Information

You have the right to be informed about all material changes

Clear explanation of what changes and why

Right to Object

For changes based on legitimate interests, you can object

Object to new processing purposes that affect your data

Withdrawal Rights

For new consent-based processing, you can refuse or withdraw

Request deletion of your data if you disagree with changes

Immediate Effect

Security improvements and technical optimizations

Changes required by law or regulatory guidance

Editorial clarifications that do not change substance

Transition Periods

30 days notice for introduction of new optional services

14 days notice for changes in data processors

30 days notice for new processing purposes

Existing Rights

Existing data subject rights remain unaffected by changes

Lawful basis for existing processing continues until lawfully changed

Preferred Approach

We strive to resolve any data protection concerns through direct communication

Please contact us first at gobbltech@proton.me before involving external authorities

We commit to good faith efforts to address legitimate concerns

Internal Resolution Process

• 1. Initial contact and concern description
• 2. Internal review and investigation
• 3. Response with proposed solution or explanation
• 4. Follow-up to ensure satisfaction

We aim to respond within 5 business days and resolve issues within 30 days

Lead Supervisory Authority

Saxon Data Protection and Transparency Commissioner

Maternistraße 17, 01067 Dresden, Germany

+49 351 85471-101

post@sdtb.sachsen.de

www.datenschutz.sachsen.de

Your Right to Complain

You can lodge a complaint at any time, regardless of our internal process

Complaints to supervisory authorities are free of charge

No requirement to contact us first, though we encourage it

Alternative Authorities

Data protection authority of your habitual residence

Data protection authority of your place of work

Authority where the alleged infringement occurred

Applicable Law

This privacy policy and all data processing is governed by German law

Subject to the directly applicable provisions of the GDPR

In case of conflict: GDPR > German BDSG > other German law

Jurisdiction for Civil Disputes

For consumers: jurisdiction according to consumer protection rules

For business disputes: courts of Dresden, Germany

Special jurisdiction rules for data protection claims under GDPR

Data Subject Rights

Rights under Art. 15-22 GDPR generally have no limitation period

Rights exist as long as we process your personal data

Rights cease when data is lawfully erased

Civil Law Claims

Claims for compensation under Art. 82 GDPR: 3 years from knowledge

Limitation period calculated according to German civil law (BGB)

Limitation may be suspended during supervisory authority proceedings

Your Rights

You have the right to legal representation in all proceedings

German cost rules apply: unsuccessful party generally pays costs

Check if your legal insurance covers data protection disputes

Our Approach

We prefer cost-effective resolution over lengthy legal proceedings

We consider proportionality in all dispute resolution

Open to reasonable settlement proposals

Access Requests (Art. 15 GDPR)

Complete information about stored personal data

Processing within 30 days after identity verification

Provision in structured, machine-readable format

Rectification Requests (Art. 16 GDPR)

Correction of incorrect or incomplete data

Immediate rectification after verification

Confirmation of performed rectification

Deletion Requests (Art. 17 GDPR)

Complete deletion of personal data

Review of retention obligations and exceptions

Written confirmation of performed deletion

Requests by Third Parties

Power of attorney or proof of representation authority required

Special procedures for legal guardians of minor children

Increased verification requirements to protect data subjects

Email Encryption

End-to-end encryption through ProtonMail

PGP encryption available for additional security

Public PGP key available upon request

Website Security

TLS 1.3 encryption for all website communication

CSRF protection and secure form transmission

No permanent storage of sensitive data in web interface