Privacy Policy

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

2. Overview of data processing

Types of data processed

• Personal data (name, address)
• Contact data (email, phone number)
• Content data (form inputs, messages)
• Contract data (subject matter, duration)
• Payment data (bank details, invoices)
• Usage data (pages visited, access times)
• Meta and communication data (device information, IP addresses)

Categories of data subjects

Customers, prospective customers, business partners, website visitors, and users of our services.

Purposes of processing

• Provision of our services and contract performance
• Responding to contact requests and communication
• Security measures
• Reach measurement and marketing
• Office and organisational procedures

3. Legal bases

We process personal data in accordance with the GDPR. The following legal bases apply:

• Consent (Art. 6(1)(a) GDPR) — where you have given us explicit consent.
• Contract performance (Art. 6(1)(b) GDPR) — where processing is necessary to fulfil a contract with you.
• Legal obligation (Art. 6(1)(c) GDPR) — where we are legally required to process data.
• Legitimate interests (Art. 6(1)(f) GDPR) — where processing serves our legitimate business interests, provided your rights do not override them.

4. Security measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These include:

• SSL/TLS encryption for all data in transit (HTTPS)
• Access controls for systems and data
• Measures to ensure confidentiality, integrity, and availability of data
• Privacy by design and by default
• Documented procedures for responding to data breaches

5. Data transfers to third parties

We only transfer personal data to third parties when this is necessary for the performance of our services, when we are legally obligated to do so, or when you have given consent. Where we use external service providers (processors), data processing agreements are in place in accordance with Art. 28 GDPR.

For transfers to countries outside the EU/EEA, we rely on EU Standard Contractual Clauses or adequacy decisions by the European Commission.

6. Hosting

This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you visit our website, Vercel processes your IP address, browser type, and access times in server log files. This is necessary for the provision of the website (Art. 6(1)(f) GDPR). Vercel's data processing is governed by their privacy policy and EU Standard Contractual Clauses.

7. Cookies

Our website uses cookies — small text files stored on your device. Some cookies are technically necessary for the website to function (session cookies). Other cookies help us analyse how the website is used (analytics cookies) or enable third-party services. You can manage your cookie preferences via our consent banner.

• Necessary cookies: Required for core website functionality. No consent needed.
• Analytics cookies: Help us understand usage patterns. Set only with your consent.
• Marketing cookies: Used by third-party services for targeted communication. Set only with your consent.

You can disable cookies in your browser settings at any time. Please note that some features of the website may not function properly without cookies.

8. Web analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies to analyse your use of the website. The information generated by the cookie is usually transferred to a Google server in the USA and stored there.

We use IP anonymisation (IP masking), meaning your IP address is shortened within the EU/EEA before being transmitted. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there.

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).

9. Contact forms and HubSpot

When you use our contact forms or booking widgets, the data you provide (name, email, company, message) is processed for the purpose of handling your enquiry. We use HubSpot (HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA) as our CRM and marketing platform to manage contact requests, leads, and email communication.

HubSpot processes data on our behalf under a data processing agreement. For transfers to the USA, EU Standard Contractual Clauses apply.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

10. Live chat (Intercom)

We use Intercom (Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18–21 St Stephen's Green, Dublin 2, Ireland) for live chat and customer communication. When you use the chat widget, Intercom processes your messages, email (if provided), and usage data.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in providing customer support).

11. Newsletter and email marketing

If you subscribe to our newsletter or provide your email through our tools, we use a double opt-in procedure: after signing up, you will receive a confirmation email. Your subscription is only activated once you confirm.

We may track email opens and clicks to measure the effectiveness of our communication. You can unsubscribe at any time via the link in every email.

Legal basis: Art. 6(1)(a) GDPR (consent).

12. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Typical retention periods:

• Contract data: duration of the contract + 4 years
• Tax-relevant records: 10 years (§ 147 AO, § 257 HGB)
• Newsletter consent evidence: up to 3 years after unsubscribe
• Server log files: maximum 30 days

13. Your rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — confirmation of whether and which data we process about you.
• Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
• Right to erasure (Art. 17 GDPR) — deletion of your data, subject to legal retention obligations.
• Right to restriction (Art. 18 GDPR) — restriction of processing in certain circumstances.
• Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR) — object to processing based on legitimate interests at any time.
• Right to withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — with a supervisory authority (e.g. Berliner Beauftragte für Datenschutz und Informationsfreiheit).

To exercise your rights, contact us at hello@relokatehr.com.

14. Changes to this privacy policy

We reserve the right to update this privacy policy to reflect changes in our data processing practices or legal requirements. The current version is always available on this page.