This Privacy Policy describes how I process your personal data in accordance with the European General Data Protection Regulation (“GDPR”).
Melodie Lange Privacy & Security Consulting
Melodie Lange
Zuccallistraße 12
85049 Ingolstadt
E-mail: info@privacy-compliant.de
To exercise your rights, send me an email at: info@privacy-compliant.de.
Data subject rights
As a data subject, you can assert the following rights at any time:
If you have given your consent, you can revoke it at any time with effect for the future.
Objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of an overriding legitimate interest (Art. 6 para. 1 lit. f) GDPR). This also applies to profiling within the meaning of Art. 4 Nr. 4 GDPR.
If you object, I will no longer process your personal data unless I can demonstrate compelling legitimate grounds for the processing which override your interests, rights or freedoms, or the processing serves the assertion, exercise or defense of legal claims.
Complaint to supervisory authority
You may at any time lodge a complaint with a supervisory authority, e.g. the competent supervisory authority in the federal state of your residence or the authority responsible for me as the controller.
The supervisory authority responsible for me is the Bavarian State Office for Data Protection Supervision (Bayerische Landesamt für Datenschutzaufsicht – BayLDA).
A list of supervisory authorities (for the non-public sector) with address can be found at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
The data processing is based on Art. 6 para. 1 GDPR.
In particular, the processing of your data is based on the following legal bases:
Several legal bases may apply to the individual processing operations.
Service providers are used for some of the data processing activities performed. These service providers are processors and are required under Article 28 GDPR to process your data only in accordance with my instructions. These processors may have access to your personal data in the course of their activities.
Unless otherwise stated below, your data will not be transferred to a third country outside the European Union. Your personal data will only be transferred to third countries if the requirements of Art. 44- 49 GDPR are met, in particular Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision of the European Commission.
The duration of data storage depends on the respective processing activity. If the retention period is not specified in more detail, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage ceases to apply. Personal data will not be deleted if storage is required by law (e.g. § 257 HGB, 147 AO) and in the event of a possible legal dispute.
The provision of data is generally voluntary, unless it is contractually required or prescribed by law. Under certain circumstances, the requested service cannot be provided or can only be provided with difficulty without providing your data.
I reserve the right to adapt this privacy policy so that it always complies with the current legal requirements. The current version of the privacy policy applies.
This website uses so-called “cookies”. Cookies do not harm your device and do not contain viruses. Cookies are small text files that are stored on your end device (laptop, tablet, smartphone or similar) when you visit a website.
Cookies serve to make this website more user-friendly, effective and secure.
By law, cookies can be stored on your device if they are absolutely necessary for the operation of this site. For all other types of cookies, your consent is required.
This website only uses technically necessary cookies, therefore no consent is required.
Purpose of data processing
When visiting this website, certain connection data is stored in a server log of the hosting provider. These server log files record, for example, the name of the requested file, your IP address, the date and time of the request, the amount of data transferred and the requesting provider (access data) and document the request.
This access data is evaluated solely for the purpose of ensuring trouble-free operation of the site and improving this website.
Legal basis
The processing is carried out in the legitimate interest of maintaining the stability, security and functionality of the website (Art. 6 para.1 lit. f) GDPR).
Recipients
The services for hosting and displaying the website are provided by service providers in Germany as part of processing on our behalf. Unless otherwise explained in this privacy policy, all access data as well as all data collected in forms provided for this purpose on this website are processed on their servers.
Deletion period
All access data will be deleted no later than 14 days after the end of your visit to the site unless a security-related event occurs (e.g. a DDoS attack). In the event of such an event, server log files are stored until the security-relevant event has been eliminated and fully resolved.
Provision
The provision of the aforementioned personal data is not required by law or contract. However, without this data, the service and functionality of our website cannot be guaranteed. In addition, individual services and services may not be available or may be limited.
You can contact me by sending me an e-mail or entering data in the end-to-end encrypted contact form. You can specify your request and contact me directly using the contact information on this website.
Purpose of data processing
The data you enter and submit will be processed for the purpose of individual communication with you.
Legal basis
The data processing is carried out for the implementation of pre-contractual measures, for the fulfillment of a contract (Art. 6 para. 1 lit. b) GDPR) or on the basis of our legitimate interests in providing an efficient and secure procedure communication (Art. 6 para. 1 lit. f) GDPR).
Deletion period
Unless legal retention periods require the retention of data or the nature of the processing requires ongoing processing of personal data, your data will be deleted no later than 3 years after the last contact. If a contractual relationship arises, your contact data will be stored for as long as this contractual relationship exists. If legal retention periods exist, these will be observed and your data will be deleted after these periods have expired.
Provision
The provision of your data is voluntary. However, your request cannot be processed without your data.
Purpose of processing
I offer the possibility to arrange consulting appointments via an automated integration of a service provider.
Legal basis
The processing is carried out in the legitimate interest of offering an efficient communication solution (Art. 6 para. 1 lit. f) GDPR) as well as for the fulfillment of contractual or pre-contractual measures (Art. 6 para. 1 lit. b) GDPR).
Recipient
The recipient of the data is a data processor in the United States (Calendly). A corresponding contract for data processing or Standard Contractual Clauses has been concluded for this purpose. These oblige the service provider to process your data only according to my instructions.
Third country transfer
The data processing contract with the service provider (Calendly) contains Standard Contractual Clauses approved by the EU Commission and appropriate guarantees to ensure that data protection obligations are met.
Deletion period
Your data will be deleted no later than 3 years after the last contact. If a contractual relationship occurs, your contact data will be stored for as long as this contractual relationship exists. If legal retention periods exist, these will be observed and your data will be deleted after these periods have expired.
Provision
The provision of your data is voluntary. However, no appointment can be booked without providing your personal data.
Purpose of processing
As part of my consulting services, I process personal data to manage client relationships, provide GDPR-related support, and fulfill contractual obligations. This includes communication, project documentation, and service coordination.
Legal basis
Performance of a contract (Art. 6 para. 1 li. (b) GDPR) – When processing is necessary to provide consulting services as agreed.
Legal obligations (Art. 6 para. 1 lit. (c) GDPR) – When required for record-keeping, invoicing, or compliance with legal regulations.
Recipients
I do not share client data with third parties unless legally required (e.g., tax authorities) or explicitly agreed upon.
Deletion Period
Client data is securely stored and managed without the use of a CRM system. I organize all consulting-related data using an Microsoft Office (hosted in Germany through IONOS) tools (e.g., Excel, Word, Outlook) on secure, access-restricted devices.
Purpose of processing
Video conferencing tools such as Teams and Zoom are used to conduct consultations, workshops and training sessions. This allows for effective delivery of content and communication with you.
For a detailed list of the categories of data collected and processed, as well as the exact purpose of the processing in each case, please see:
The extensive settings are configured in such a way that only the necessary personal data is processed and that the collected data is protected in the best possible way.
The registered user is basically responsible for what data he discloses about himself in the course of registration.
As a rule, no recording takes place, and otherwise only with your consent.
Legal basis
The use of video conferencing tools is based on a legitimate interest (Art. 6 para. 1 lit. f) GDPR), in the practical and user-friendly implementation of consulting sessions, workshops and training courses.
Recipients
Recipients of the data are data processors in the United States (Teams and Zoom). Corresponding contracts for data processing or Standard Contractual Clauses have been concluded for this purpose. These oblige the service providers to process your data only in accordance with my instructions.
Third country transfer
The data processing contract with the service provider (Teams and Zoom) contains Standard ContractualClauses approved by the EU Commission and appropriate guarantees to ensure that data protection obligations are met.
Deletion period
Data is only collected in the context of the respective live session. As a rule, recording does not take place or only in the event of prior, separate consent by the participants. Recording enabled by the system is prevented for all participants. Registration data is deleted after the end of its purpose. This usually takes place after a maximum storage period of 6 months in the system.
Provision
The provision of your personal data is voluntary. However, communication via video conferencing tools can only be offered if the associated processing can be carried out.
Purpose of Processing
For the processing of payments related to my paid consulting sessions, I use the payment service provider Stripe via the Calendly platform.
Legal Basis
The processing of your data is based on Art. 6 (1) lit. b GDPR (performance of a contract or pre-contractual measures) as well as on my legitimate interest in ensuring a reliable and secure payment process in accordance with Art. 6 (1) lit. f GDPR.
Recipient
The provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
Transfer to Third Countries
Stripe may also transfer data to the USA. Stripe is certified under the EU-U.S. Data Privacy Framework.
You can find more information about Stripe’s data processing here: https://stripe.com/privacy
Retention Period
Personal data related to the payment process will be deleted once they are no longer necessary for processing and no legal retention obligations exist (e.g. according to the German Commercial Code or Tax Code). As a rule, data is deleted after the statutory retention period of 10 years.
Purpose of processing
To fulfill legal obligations related to financial accounting and tax compliance, I process personal data such as invoice and payment information.
Legal basis
The processing is carried out to fulfill legal obligations pursuant to Art. 6 (1) c GDPR (particularly §§ 147 AO, 257 HGB) and based on my legitimate interest in proper business administration (Art. 6 (1) f GDPR).
Recipients
Processing is conducted using a GDPR-compliant accounting software hosted in Germany. Relevant data is also shared with my tax advisor, who is subject to professional confidentiality and data protection obligations.
Retention period
Data is retained in accordance with statutory retention periods (usually 10 years under § 147 AO or 6 years under § 257 HGB) and deleted after these periods unless further retention is legally required.
Provision of data
The provision of this data is legally required. Without it, compliant accounting and tax processing is not possible.
Purpose of processing
I use LinkedIn and Instagram to build my online presence, promote my services, and connect with clients and prospects. This includes sharing updates, responding to comments and messages, and seeing how people interact with my content.
The social media platform (LinkedIn or Instagram) is responsible for handling your data and informing you about how it is processed. Since these platforms have direct access to your data, they are also your main contact for any privacy-related questions or rights.
If you have given consent (Art. 6 para. 1 lit. (a) GDPR) to LinkedIn or Instagram, they may collect and store your data when you visit my profile. You can find more details on how they use your data, as well as privacy settings and contact options, in their privacy policies linked below.
Legal basis
I process your data because I have a legitimate interest in building my online presence (Art. 6 para. 1 li. (f) GDPR).
If our communication is related to a potential contract (e.g., discussing my services), your data is processed to take steps before entering into a contract (Art. 6 para. 1 lit. (b) GDPR).
If you have given consent to the social media platform (e.g., LinkedIn or Instagram) for analytics and tracking, your data may also be processed for these purposes (Art. 6 para. 1 lit. (a) GDPR). The platform itself obtains this consent and manages these analytics.
Recipients
Recipients are the social media operators LinkedIn and Instagram.
Third-country transfer
When using LinkedIn and Instagram, data may also be processed outside the EU. The contract with these providers contains Standard Contractual Clauses approved by the EU Commission and appropriate guarantees to ensure that data protection obligations are met.
– – –
Date: April 2025