Here is the updated Privacy Policy with:

• Shipping providers removed (as before),

• Payment processors removed entirely,

• HubSpot inserted as the CRM,

• OpenAI support chat retained with Azure EU region detail,

• Citations added for all material legal/technical claims.

You can copy-paste this to your site; everything bracketed is either optional or already filled based on your inputs.

Privacy Policy (GDPR)

Effective date: 03 August 2025
Controller: sitegeist GmbH (HRB [add])
Address: Veilchenweg 22, 85521 Riemerling, Germany
Website: sitegeist-robotics.com
Data protection contact: Claus Carste, legal@sitegeist-robotics.com, +49 156 795 93260
We do not appoint a statutory DPO; the above contact handles privacy requests.

1) Overview

We process personal data only as needed to operate this website, answer inquiries, fulfill orders (if enabled), ensure security, and—with consent—perform analytics and marketing. We rely on the legal bases in Art. 6 GDPR (consent, contract, legal obligation, legitimate interests). You can exercise your rights (access, erasure, restriction, portability, objection, withdrawal of consent) and we respond within 30 days. Non-essential cookies and tracking technologies are loaded only after your opt-in consent via our banner. (European Commission, devowl.io, Securiti, Cookie Law Info)

2) What we collect

2.1 Contact / lead forms (WordPress/Elementor)

• Data: name, email, phone, company, message; plus form consents:

  • “I consent to the Sitegeist GmbH Privacy Policy” (required for submission)

  • “I agree to receive other information and offers” (optional marketing opt-in).

• Legal basis: pre-contractual/contractual communication (Art. 6(1)(b)) and explicit consent for marketing (Art. 6(1)(a)). (EUR-Lex, GDPR)

2.2 Orders (if/when enabled)

• Data: customer/contact details, billing information, items, order status; full payment card numbers are not stored.

• Legal basis: contract fulfillment (Art. 6(1)(b)), legal obligations such as tax/commercial retention (Art. 6(1)(c)), and fraud prevention (Art. 6(1)(f)). (EUR-Lex, European Commission)

2.3 Technical logs & security

• Data: IP addresses, timestamps, user-agent strings, requested URLs, error and diagnostic logs, anti-abuse signals.

• Legal basis: legitimate interests in operating and securing our services (Art. 6(1)(f)). (European Commission)

2.4 Analytics (Google Analytics 4)

• Data: event-level usage and device metadata, only collected after user consent.

• Legal basis: consent (Art. 6(1)(a)). You can adjust or withdraw consent via the banner at any time.

• Retention: configured to 14 months by default for user-level and event data; shorter or longer retention is manageable in GA4 settings. (Google Help, Whatagraph)

2.5 Children

Our services are not directed to minors, and we do not knowingly process the data of individuals under 16 in relation to information society services without parental authorization, per Article 8 GDPR. (GDPR, GDPRhub)

2.6 Special categories

We do not intentionally collect or process special category data (e.g., health, racial/ethnic, biometric). (European Commission)

3) Cookies & similar technologies

We use a consent management banner (via Complianz) to obtain prior, informed, and granular consent before setting non-essential cookies or accessing local storage. Under German law (TTDSG/TDDDG) and GDPR guidance, such consent is required for analytics and tracking; essential cookies (strictly necessary) may operate without prior consent. Banner design complies with current expectations (clear accept/reject options, ability to withdraw). (devowl.io, Securiti, CookieScript, Cookie Law Info, Ailance)

4) Purposes & legal bases

—These align with GDPR Articles 6 and 12–22. (European Commission, GDPR)

5) AI support chat (OpenAI / Azure in EU)

We offer a support chat that leverages OpenAI technology. Messages you send (and limited metadata) are processed to generate responses and for abuse prevention.

• Infrastructure: Hosted on Microsoft Azure configured to EU regions / EU Data Boundary, ensuring customer data is stored and processed within the EU/EFTA where supported. (Microsoft Learn, Microsoft, AP News)

• OpenAI as processor: When OpenAI processes data (via Azure OpenAI or direct OpenAI API/Enterprise), it does so under a Data Processing Addendum (DPA) and uses appropriate transfer safeguards such as Standard Contractual Clauses (SCCs) or relies on recognized frameworks where applicable. (OpenAI, Webflow, GDPR Commentary)

• International transfers: If data leaves the EEA (e.g., to systems not fully covered by EU residency), we rely on SCCs (EU Commission Implementing Decision 2021/914) and, when available, adequacy mechanisms like the EU-U.S. Data Privacy Framework, applying supplementary measures as needed. (EUR-Lex, European Commission)

6) Recipients / processors

We engage third-party processors under written agreements (Art. 28 GDPR) with appropriate safeguards:

• Hosting & infrastructure: AWS (EU regions) and Microsoft Azure (EU regions, EU Data Boundary). (Microsoft, Microsoft Learn)

• Analytics: Google Analytics 4 (consent-based). (Google Help, Whatagraph)

• CRM / Email handling: HubSpot (customer relationship and marketing automation).

• AI support chat: OpenAI (via Azure OpenAI or direct integration). (OpenAI, Webflow)

We may also disclose data to legal authorities, auditors, or advisors where required by law or to defend legal claims.

7) International transfers

Transfers outside the EU/EEA are governed by Standard Contractual Clauses (SCCs) and documented risk assessments; where applicable, transfers may also rely on other adequacy mechanisms. (EUR-Lex, European Commission)

8) Retention

• Contact leads: 24 months after last interaction unless longer needed for legal claims.

• Consent records (marketing): up to 3 years to demonstrate compliance.

• Analytics (GA4): 14 months by default. (Google Help, Whatagraph)

• Order/invoicing data (if active): retained per German commercial and tax law (typically 6–10 years, e.g., §257 HGB and §147 AO). (EUR-Lex, European Commission)

• Security logs: typically 90 days, extended if needed for investigation or legal reasons.

9) Your rights

You have rights to access, rectify, erase, restrict, object, port, and withdraw consent.
How to exercise: email legal@sitegeist-robotics.com; identity verification may be requested. We respond within 30 days unless lawfully extended. (GDPR, European Commission)

10) Marketing communications

Marketing is sent only with explicit opt-in consent via the form. You can unsubscribe at any time through the links in the messages or by contacting us. Legal basis: Art. 6(1)(a). (EUR-Lex, Securiti)

11) Automated decision-making / profiling

Currently not used. If we introduce profiling or automated decisions with legal or significant effects, we will update this policy, disclose logic and consequences, and offer opt-out or seek consent as required. (European Commission)

12) Security measures

We implement technical and organizational measures including: TLS encryption in transit, encryption at rest where supported, role-based access control, multi-factor authentication, least privilege, environment segregation, regular patching, logging and monitoring, backups, employee confidentiality training, and WordPress hardening (restricted admin access and security plugins). (European Commission)

13) Third-party links

Other websites linked from ours have their own privacy practices. Review their policies when leaving our site.

14) Changes to this Policy

We may revise this policy; updates appear here with the effective date. Material changes may be surfaced via banner or notice.

15) Supervisory authority

You may lodge a complaint with your local authority or directly with the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA): Promenade 18, 91522 Ansbach, Germany; Tel. +49 981 180093-0; poststelle@lda.bayern.de; www.lda.bayern.de. (BayernPortal, proact.eu)