Privacy Policy

Last updated: February 6, 2026

About this Privacy Policy

Hi there!

I take your privacy seriously. This policy explains what data I collect, why I need it, and how I protect it.
I’ve written this in plain language – no legal jargon overload.

Quick summary: I only collect what’s necessary to provide my services, I don’t sell your data, and you’re in control.

The protection of your personal data is very important to me. I process your personal data in compliance with applicable data protection regulations, in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Digital Services Act (DDG, successor to TMG) and the Telecommunications-Telemedia Data Protection Act (TTDSG). This privacy policy explains what personal data I collect when you use this website and my services, how I use this data, and what rights you have.

If you have any questions about data protection, please contact me at
dataprotection@facilicat.com

 

Controller & Data Protection Officer

Responsible for data processing:  
Salome Keller | FACILICAT
Gutenbergstr. 50a
70176 Stuttgart, Germany
 
Phone: +49 711 50440080
 
Data Protection Officer: Salome Keller (contact details as above).
 
 

1. Data Collection on this Website

1.1 Automatically Collected Data (Server Log Files)

Every time you visit a website, your browser automatically transmits certain information. This is a technical necessity for the website to be displayed. My hosting provider (ALL-INKL.COM) collects and stores this information temporarily in so-called server log files. Check out their data protection policy for more information.

The following data is automatically recorded:  

  • IP address of your device
  • Date and time of your visit
  • Browser type and version (e.g., Chrome, Firefox, Safari)
  • Operating system (e.g., Windows, macOS, iOS)
  • Referrer URL (the website from which you came to my site)
  • Pages you accessed on my website
  • Amount of data transferred

 Why is this data collected?

This data is necessary to deliver the website to you, ensure system security, detect and prevent misuse, and optimize the website. I cannot personally identify you from this data alone.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in ensuring the technical operation, security, and optimization of the website.

Storage duration: 90 days (or as per all-inkl standard, max. 7 days for logs), after which the data is anonymized or deleted.

 

1.2 Contact Forms & Appointment Booking

When you actively contact me via contact form (e.g., Contact Form 7 Plugin), email, or book an appointment through my booking system, you provide personal information voluntarily.

This includes:

  • Your name
  • Email address
  • Phone number (if you provide it)
  • Your message or inquiry
  • Appointment details (date, time, purpose)
  • Company name (for business inquiries)

Why do I process this data?

I need this information to respond to your inquiry, schedule appointments, prepare for our meeting, and fulfill any service contracts we enter into.

Legal basis: Art. 6(1)(b) GDPR – processing is necessary for contract fulfilment or to take steps at your request prior to entering into a contract.

Storage duration: Your data is stored for up to 3 years after our last contact to maintain business continuity. If we enter into a contractual relationship, statutory retention periods under commercial and tax law may apply (typically 6-10 years under §147 AO and §257 HGB).

 

2. External Services & Data Processors

I work with selected external service providers to deliver my services effectively. These providers process data on my behalf and are bound by data processing agreements according to Art. 28 GDPR.

2.1 ALL-INKL.COM (Website Hosting & WordPress)  

This website is hosted by ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany. Servers are located exclusively in Germany (Rechenzentrum Dresden). See here for more information.

What does this mean?

All content is stored on ALL-INKL.COM servers (WordPress core/plugins). When you visit, a connection to these servers is established.

Data processed: Server log files (1.1)

Data location: Germany (EU)  

Legal basis: Art. 6(1)(f) GDPR; Art. 28 GDPR (AVV via all-inkl Kundenbereich)

More information: all-inkl.com/datenschutzinformationen/

 

2.2 Microsoft 365 & Microsoft Bookings

I use Microsoft 365 services for professional email communication, document management, calendar functions, and online appointment scheduling (Microsoft Bookings).

What does this mean for you?

When you email me or book an appointment through my booking system, your data is processed on Microsoft servers. This includes our email correspondence, appointment details, and any documents we exchange during our collaboration.

Data processed:

  • Email communication and attachments
  • Calendar entries and appointment data
  • Contact information (name, email, phone)
  • Documents shared during our collaboration
  • Meeting notes and preparation materials
  • Login and authentication data for scheduled meetings

Data location: Primarily Europe, with some services in the USA

Legal basis: Art. 6(1)(b) GDPR (contract fulfilment); Art. 28 GDPR (data processing agreement with Microsoft)

Data protection safeguards: Microsoft provides EU Standard Contractual Clauses and is partially certified under the EU-US Data Privacy Framework.

Important for appointment bookings: When you book an appointment via Microsoft Bookings, you will be asked to acknowledge that your contact details will be stored on Microsoft servers for appointment management purposes. This is explained in detail in section 7 below.

More information: microsoft.com/trust-center/privacy

 

2.3 Lexoffice (Accounting & Invoicing)

For invoicing, accounting, and financial record-keeping, I use Lexoffice by Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany.

What does this mean?

If we enter into a business relationship, your invoice-relevant data is processed in this accounting software to create invoices, track payments, and fulfill my legal obligations under tax and commercial law.

Data processed:

  • Name and company details
  • Billing address
  • Invoice amounts and payment information
  • Tax identification numbers (if applicable)
  • Service descriptions and project details
  • Payment dates and methods

Data location: Germany (servers located in Germany)

Legal basis:

  • Art. 6(1)(b) GDPR – contract fulfillment (creating and sending invoices)
  • Art. 6(1)(c) GDPR – legal obligations under German tax law (§147 AO) and commercial law (§257 HGB)

Storage duration: 10 years from the end of the calendar year in which the invoice was created (statutory retention requirement)

Why so long?

German law requires me to retain financial records for tax audits. This is not optional and applies to all businesses in Germany.

More information: lexoffice.de/datenschutz

 

2.4 Google Fonts

This website uses fonts from Google Fonts, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

What does this mean?

To display certain fonts, your browser loads font files from Google servers. This creates a connection to Google servers, and your IP address is transmitted to Google.

Data processed: IP address, browser information, fonts requested

Data location: USA (Google servers)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in consistent typography and fast page loading)

Data protection safeguards: Google is certified under the EU-US Data Privacy Framework.

More information: policies.google.com/privacy

 

3. Cookies & Tracking

What are cookies?

Cookies are small text files that are stored on your device when you visit a website. They help websites remember your preferences and enable certain functionalities.

What cookies does this website use?

This website uses a minimal cookie approach. When you first visit, you’ll see a cookie banner asking for your consent. Your choice is stored locally and respected during future visits.

Essential cookies only (after declining)

If you decline cookies via the cookie banner, this website only sets:

  • WordPress Session cookie (crumb): Required for security purposes (CSRF protection)
  • Preference cookies: Remember your cookie choice.

These cookies are technically necessary for the website to function properly and to respect your preferences.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website functionality and security) and § 25(2) TTDSG

Analytics (only with consent)

If you accept cookies, WordPress’s built-in analytics tracks visitor statistics including:

  • Number of visitors
  • Pages viewed
  • Geographic location (anonymized)
  • Device and browser information
  • Traffic sources

Legal basis: Art. 6(1)(a) GDPR (consent)

You can withdraw consent at any time by clearing your cookies or revisiting the cookie banner to adjust your preferences.

 

4. Data Transfers to Third Countries

Some of the service providers I work with (Microsoft, Google Fonts) operate servers in the United States, which is considered a third country outside the European Economic Area (EEA) under data protection law.

What does this mean?  

The USA has different data protection laws than the EU. However, Microsoft and Google have implemented safeguards to ensure your data receives adequate protection:

Safeguards in place:  

  • EU-US Data Privacy Framework (DPF): Microsoft and Google are certified under this framework, which has been recognized by the European Commission as providing adequate protection (Adequacy Decision, July 2023; confirmed by EuGH 2025).
  • EU Standard Contractual Clauses: Additional contractual safeguards approved by the EU Commission (Art. 46(2)(c) GDPR). Microsoft’s EU Data Boundary keeps most M365/Bookings data in EU datacenters (Germany, etc.), with limited operational transfers to USA.
  • Technical and organizational measures: Encryption, access controls, and security protocols.

Transparency: While these safeguards provide strong protection, I want to be transparent that data protection authorities and courts continue to scrutinize international data transfers. The legal landscape is evolving, and I continuously monitor developments to ensure compliance.

 

5. Your Rights Under GDPR

You have comprehensive rights regarding your personal data. These are not just theoretical – they are legally enforceable rights that I respect and facilitate.

Right of Access (Art. 15 GDPR)
You have the right to know what personal data I store about you. You can request a copy of your data at any time.

Right to Rectification (Art. 16 GDPR)
If your data is incorrect or incomplete, you have the right to have it corrected or completed.

Right to Erasure (Art. 17 GDPR)
Also known as the „right to be forgotten.“ You can request deletion of your data if:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw your consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data was processed unlawfully

Note: This right may be limited by statutory retention obligations (e.g., tax and accounting records must be kept for 10 years).

Right to Restriction of Processing (Art. 18 GDPR)
You can request that I limit how I use your data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that I transmit this data directly to another controller.

Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests (Art. 6(1)(f) GDPR) at any time. I will then stop processing unless I can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Art. 7(3) GDPR)
If processing is based on your consent, you can withdraw it at any time. The withdrawal does not affect the lawfulness of processing before the withdrawal.

How to Exercise Your Rights
Contact me at: dataprotection@facilicat.com

I will respond to your request without undue delay and within one month of receiving it. If your request is complex, I may extend this period by two months and will inform you accordingly.

Right to Lodge a Complaint
If you believe I am processing your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority.

The competent authority for Baden-Württemberg:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany

Website: www.baden-wuerttemberg.datenschutz.de

You can also contact the supervisory authority in your country of residence or workplace.

 

6. Data Security

I take the security of your data seriously and implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (Art. 32 GDPR).

Security measures include:

Technical measures:

  • SSL/TLS encryption for all data transmission (you can see this by the lock symbol in your browser’s address bar)
  • Encrypted email communication through Microsoft 365
  • Regular security updates and patches
  • Firewalls and intrusion detection systems
  • Secure password policies and authentication mechanisms

Organizational measures:

  • Access restricted to authorized personnel only (in my case, primarily myself)
  • Data processing agreements with all processors
  • Regular review of data protection practices
  • Data minimization (collecting only what’s necessary)
  • Clear data retention and deletion procedures

No security system is perfect: While I implement strong security measures, no system can guarantee 100% security. I continuously monitor and update my security practices to address new threats.

 

7. Appointment Booking via Microsoft Bookings

When you book an appointment through my online booking system (Microsoft Bookings), additional data protection information applies.

How the Booking Process Works

  1. You access the booking page
  2. You select a date and time
  3. You provide your contact information (name, email)
  4. Before confirming, you must acknowledge the data protection notice
  5. You receive an appointment confirmation via email

Required Acknowledgment

Before you can complete your booking, you will be asked to confirm:
„I acknowledge that my contact details (name, email address) will be processed for appointment scheduling via Microsoft Bookings. Data processing takes place on Microsoft servers (EU/USA) based on contract fulfillment (Art. 6(1)(b) GDPR). Further information can be found in the Privacy Policy.“

Why This Acknowledgment is Necessary

Under Art. 13 GDPR, I must inform you about data processing before collecting your data. This acknowledgment ensures you understand that:

  • Your appointment data will be stored on Microsoft servers
  • Microsoft acts as a data processor on my behalf
  • Data may be processed in the USA under appropriate safeguards
  • The legal basis is contract fulfillment (arranging our meeting)

What Happens to Your Appointment Data

  • Appointment details are stored in my Microsoft 365 calendar
  • You might receive automated confirmation and reminder emails
  • I can see your contact information and appointment details to prepare for our meeting
  • After the appointment, the data remains in my system for up to 3 years for business continuity purposes

You can cancel or modify your appointment by contacting me directly at the email or phone number provided above.

 

8. Changes to this Privacy Policy

Data protection law continues to evolve, as do the services and tools I use. I reserve the right to update this privacy policy to reflect:

  • Changes in applicable laws and regulations
  • New services or tools I implement
  • Guidance from data protection authorities
  • Improvements in data protection practices

When I make changes: The updated policy will be published on this page with a new „last updated“ date. For significant changes that affect your rights, I will provide additional notice (e.g., via email if I have your contact information in an ongoing relationship).

Your responsibility: I encourage you to review this policy periodically to stay informed about how I protect your data.

 

Questions or Concerns?

If you have any questions about this privacy policy, how I handle your data, or your rights, please contact me:

Email: dataprotection@facilicat.com
Phone: +49 711 50440080

I’m here to help and committed to transparency in all data processing activities.