Privacy policy

As of: March 2026

The following information explains which personal data we process in connection with our online offering. This Privacy Policy applies to our website as well as to our external online presences, in particular on social networks, insofar as reference is made there to this Privacy Policy or we process personal data there under our own responsibility.

Personal data means any information relating to an identified or identifiable natural person. Personal designations used in this Privacy Policy apply equally to all genders.

1. Controller

iRights.Lab GmbH
Managing Director: Philipp Otto
Oranienstraße 185
10999 Berlin
Telephone: +49 (0)30 40 36 77 230
Fax: +49 (0)30 40 36 77 260
Email: kontakt@irights-lab.de

2. Data Protection Officer

Attorney Jan Mönikes
HÄRTING Rechtsanwälte PartGmbB
Chausseestraße 13
10115 Berlin
Email: datenschutz@irights-lab.de

3. Categories of Data Processed, Data Subjects and Purposes

Depending on how you use our online offering, we process in particular the following categories of personal data:

·       Master data, such as names or other details that you provide to us when contacting us or registering,

·       Contact data, such as email addresses or telephone numbers,

·       Content data, such as the contents of form messages, survey responses or other communications,

·       Usage data, such as pages visited, interactions, and the time and duration of access,

·       Meta and communication data, such as IP addresses, device and browser information, or referrer information.

The persons affected by the processing are in particular visitors to our website, communication partners, newsletter subscribers, and persons who interact with our presences on social networks.

Processing is carried out in particular for the following purposes:

·       Provision, operation and security of our online offering,

·       Managing and responding to enquiries,

·       Sending newsletters and other electronic information,

·       Conducting surveys and evaluations,

·       Measuring reach and improving our online offering,

·       Providing and maintaining our presences on social networks,

·       Embedding external media, maps and other content.

4. Legal Bases for Processing

We process personal data only where there is a legal basis for doing so. In particular, the following may apply:

·       Article 6(1) sentence 1 lit. a GDPR (consent),

·       Article 6(1) sentence 1 lit. b GDPR (performance of a contract or implementation of pre-contractual measures),

·       Article 6(1) sentence 1 lit. c GDPR (compliance with a legal obligation),

·       Article 6(1) sentence 1 lit. f GDPR (legitimate interests).

To the extent that information is stored on your end device or read from it when cookies or similar technologies are used, permissibility is additionally governed by Section 25 TDDDG.

5. Recipients, Processors and Third-Country Transfers

We use technical and organisational service providers that may process personal data on our behalf or under their own data protection responsibility. These recipients may include in particular hosting providers, mailing service providers, providers of consent management solutions, analytics and social media platforms, as well as providers of embedded content.

To the extent that data is processed outside the European Union (EU) or the European Economic Area (EEA), or access from a third country cannot be ruled out, this takes place only if the legal requirements of Articles 44 et seq. GDPR are met. This may be the case in particular on the basis of an adequacy decision of the European Commission, for example under the EU-U.S. Data Privacy Framework, or on the basis of standard contractual clauses of the European Commission together with supplementary protective measures.

Further details on recipients and third-country transfers can be found in the relevant processing operations described in this Privacy Policy.

6. Consent Management with Cookiebot

We use the Cookiebot consent management platform on our website. The provider is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Further information on Cookiebot is available at https://www.cookiebot.com; the provider's privacy notice is available at https://www.cookiebot.com/de/privacy-policy/.

Cookiebot is used to obtain, manage, technically implement and document consents for the use of non-essential cookies and similar technologies. In particular, Cookiebot processes the shortened or anonymised IP address, the date and time of consent or refusal, browser and device information, the URL accessed, a random key value, and the respective consent status.

Processing is carried out in order to comply with our legal obligation to be able to demonstrate consents, Article 6(1) sentence 1 lit. c GDPR in conjunction with Article 7(1) GDPR, and additionally on the basis of our legitimate interest in legally compliant and user-friendly consent management, Article 6(1) sentence 1 lit. f GDPR. To the extent that information on your end device is accessed or stored for this purpose, this is done on the basis of Section 25(2) no. 2 TDDDG.

The consent decision is stored in a cookie and may - depending on your browser and settings - be recognised for up to 12 months. You can withdraw or adjust your consent at any time with effect for the future using the function provided on the website to change cookie settings.

7. Cookies and Similar Technologies

We use cookies and similar technologies to technically provide our online offering, operate it securely and - where you consent - measure reach or conveniently embed external content.

We use technically necessary cookies and similar technologies to the extent this is necessary for the operation of the website or for functions expressly requested by you. The legal basis is Article 6(1) sentence 1 lit. f GDPR; access to or storage on your end device takes place on the basis of Section 25(2) no. 2 TDDDG.

We use non-essential cookies and similar technologies only after obtaining your prior consent. The legal basis is Article 6(1) sentence 1 lit. a GDPR; access to or storage on your end device takes place on the basis of Section 25(1) TDDDG.

Technically necessary cookies may include, in particular, security and session cookies of the content management system used, such as "XSRF-TOKEN" and "irights_website_session". Optional cookies relate in particular to the storage of your decision on the use of web analytics. Further information on the specific cookies used, storage periods and providers can be found in our cookie banner or in the cookie declaration linked there.

8. Provision of the Website, Content Management System and Hosting

We use the Kirby content management system of Content Folder GmbH & Co. KG, Böhmer Weg 22, 69151 Neckargemünd, Germany, to maintain and provide our website. The technical implementation and support of the website are provided by Studio Humm, Immanuelkirchstraße 28, 10405 Berlin, Germany.

Our website is hosted by ALL-INKL.COM - Neue Medien Münnich, owner René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany.

In the context of providing the website, we process in particular the IP address, date and time of retrieval, accessed pages and files, data volumes transmitted, status messages, browser type and browser version, operating system, referrer URL, and the requesting provider.

Processing is necessary in order to deliver the website, ensure its stability and security, analyse errors and defend against attacks. The legal basis is Article 6(1) sentence 1 lit. f GDPR.

Server log files are generally deleted or anonymised no later than after 7 days, unless longer storage is required in individual cases to investigate misuse or security incidents.

9. Newsletter and Other Electronic Information

We send newsletters and other electronic information only with your consent or on the basis of a statutory permission.

For registration, we regularly process your email address. Further information may be voluntary if it is required for personalisation or for controlling the content of the newsletter.

Registration generally takes place using the double opt-in procedure. We log the registration, confirmation, time and IP address in order to be able to prove the registration and any consent that may have been given.

We use Brevo to send newsletters. According to the provider's information, the legal provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany; Brevo is the product and brand name. Brevo processes recipient data on our behalf.

The legal basis for sending newsletters on the basis of a registration is Article 6(1) sentence 1 lit. a GDPR. Where permitted by law, sending may in individual cases also be based on Article 6(1) sentence 1 lit. f GDPR, for example in the context of permissible marketing to existing customers.

Logging the registration process and managing blocklists are carried out on the basis of our legitimate interest in legally compliant and efficient newsletter management, Article 6(1) sentence 1 lit. f GDPR.

We may store unsubscribed email addresses for up to three years in order to defend against claims and to document consent that was once given. In this case, processing is limited to this purpose. You can withdraw your consent at any time with effect for the future; an unsubscribe link is included in every newsletter.

10. Translation of Selected Content Using DeepL API Pro

We use DeepL API Pro of DeepL SE, Maarweg 165, 50825 Cologne, Germany, to translate selected content into English.

To the extent that the texts to be translated contain personal data, such data are transmitted to DeepL in order to create a machine translation. After the translation, the content is reviewed by our editorial staff and revised if necessary.

The legal basis is Article 6(1) sentence 1 lit. f GDPR. Our legitimate interest lies in the efficient multilingual provision of our content. To the extent that translations are carried out in connection with contractual or pre-contractual matters, Article 6(1) sentence 1 lit. b GDPR may also apply.

According to DeepL, texts processed in the Pro version we use are not stored permanently and are not used to train AI models. Where we use DeepL to process personal content on our behalf, we conclude a data processing agreement with DeepL pursuant to Article 28 GDPR.

11. Surveys and Questionnaires

When we conduct surveys or questionnaires, we evaluate the results, where possible, anonymously or at least in aggregated form.

To the extent technically necessary, the IP address, browser information, timestamps, session information and the answers entered by you may in particular be processed for the purpose of conducting the survey.

The legal basis is Article 6(1) sentence 1 lit. f GDPR. Our legitimate interest lies in obtaining feedback and improving our services. To the extent that we expressly ask you for consent, Article 6(1) sentence 1 lit. a GDPR is the legal basis.

We delete personal survey data as soon as it is no longer required for the purpose of the survey. Anonymous or aggregated evaluations may be retained permanently.

12. Web Analytics with Matomo

We use the web analytics software Matomo on our website in a self-hosted version. Processing takes place exclusively on our own server; the usage data collected by Matomo is not disclosed to third parties.

Matomo helps us understand which content is used particularly frequently and how we can improve the website technically and in terms of content. In particular, truncated IP addresses, page views, usage times, device and browser information, and interactions with the website are processed.

We have configured Matomo so that the IP address is processed only in truncated form (IP masking/pseudonymisation). According to the information available to us, Matomo is not used without cookies, but only after your prior consent.

To the extent that Matomo uses cookies or similar technologies, it is used exclusively on the basis of your prior consent. The legal basis is then Article 6(1) sentence 1 lit. a GDPR in conjunction with Section 25(1) TDDDG.

We delete or anonymise the usage data processed with Matomo on an ongoing basis. Cookies in connection with Matomo have a storage period of no more than 13 months.

13. Presences on Social Networks

We maintain online presences on social networks in order to provide information about our activities and to communicate with users there.

When you visit our profiles, the respective platform providers regularly process personal data for their own purposes as well. This concerns in particular usage and interaction data, device information, IP addresses and, where applicable, data about your profile and your behaviour on the respective platform. We have only limited influence over this data processing.

To the extent that you contact us via our social media profiles or we receive aggregated statistics and reach information from the platforms, we process your data for communication, public relations and optimisation of our external presentation. The legal basis is Article 6(1) sentence 1 lit. f GDPR. To the extent that contact is aimed at the conclusion or performance of a contract, Article 6(1) sentence 1 lit. b GDPR may also apply.

To the extent that platform providers make aggregated usage statistics ("Insights", "Page Insights" or comparable analytics) available to us for our pages or company profiles, joint controllership with the respective platform provider may exist in this respect. In these cases, the platform provider generally fulfils the primary information obligations towards data subjects and is the primary point of contact for the exercise of data subject rights in relation to the data processed by it. You may nevertheless also contact us. Meta provides the essence of the agreement on joint controllership for Facebook and Instagram pages at https://www.facebook.com/legal/terms/page_controller_addendum; you can contact Meta's data protection officer using the form at https://www.facebook.com/help/contact/540977946302970. The essence of the agreement on joint controllership for LinkedIn Page Insights can be found at https://legal.linkedin.com/pages-joint-controller-addendum.

We use the following platforms in particular:

·       Instagram, provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; privacy notice: https://www.facebook.com/policy; further information on data protection at Instagram: https://help.instagram.com/519522125107875.

·       Facebook, provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; privacy notice: https://www.facebook.com/policy.

·       LinkedIn, provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; privacy notice: https://www.linkedin.com/legal/privacy-policy.

·       X, provider for users in the EU: X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; privacy notice: https://x.com/en/privacy.

In the case of platform providers headquartered in the USA or belonging to a US group, a transfer of personal data to the USA cannot be ruled out. According to the respective providers, such transfers take place on the basis of the EU-U.S. Data Privacy Framework and/or standard contractual clauses.

14. Plugins, Embedded Content and External Functions

We embed content and functions from external providers on our website, such as videos, maps or other multimedia elements. When such content is retrieved, your IP address is regularly transmitted to the respective provider, because otherwise delivery to your browser would not be technically possible. In addition, the providers may process further technical information and - depending on the type of embedding - use cookies or similar technologies.

To the extent that embedding is not already technically necessary, it generally takes place only after your consent has been obtained. In this case, the legal basis is Article 6(1) sentence 1 lit. a GDPR in conjunction with Section 25(1) TDDDG. To the extent that embedding exceptionally takes place without consent, we base this on Article 6(1) sentence 1 lit. f GDPR; access to your end device then takes place only insofar as Section 25 TDDDG permits this.

We use the following services in particular:

·       YouTube videos, provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; further information: https://policies.google.com/privacy.

·       Vimeo videos, provider: Vimeo Inc., 555 West 18th Street, New York, NY 10011, USA; further information: https://vimeo.com/privacy.

·       Google Maps, provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; further information: https://policies.google.com/privacy.

·       Locally hosted fonts (Founders Grotesk and Söhne) of Klim Type Foundry. The font files are delivered from our own European server; in this respect, no data is transferred to Klim Type Foundry or any other third parties.

In the case of Google and Vimeo, a transfer of personal data to the USA cannot be ruled out. Such transfers take place only subject to the requirements of Articles 44 et seq. GDPR; according to the providers, an adequacy decision and/or standard contractual clauses may be relevant for this, depending on the circumstances.

15. Storage Period and Deletion

We store personal data only for as long as necessary for the respective purposes or as long as statutory retention obligations exist.

As soon as the purpose of processing ceases to apply and there are no statutory retention obligations or legitimate reasons preventing further storage, the data are deleted or anonymised. To the extent that data must be retained for reasons of commercial or tax law or are required for the establishment, exercise or defence of legal claims, processing is restricted to these purposes.

We have specified specific storage periods in the individual sections of this Privacy Policy, in particular for server log files, consent documentation, newsletter blocklists and Matomo cookies.

16. Your Rights

Under the statutory provisions, you are entitled in particular to the following rights:

·       Right of access to the personal data we process (Article 15 GDPR),

·       Right to rectification of inaccurate data or completion of incomplete data (Article 16 GDPR),

·       Right to erasure (Article 17 GDPR),

·       Right to restriction of processing (Article 18 GDPR),

·       Right to data portability (Article 20 GDPR),

·       Right to object to processing based on Article 6(1) sentence 1 lit. e or f GDPR (Article 21 GDPR),

·       Right to withdraw consent granted, with effect for the future (Article 7(3) GDPR),

·       Right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR).

The data protection supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, email: mailbox@datenschutz-berlin.de.

To the extent that you exercise a right to object, we will no longer process the personal data concerned for those purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising.

17. Amendments to this Privacy Policy

We adapt this Privacy Policy where this becomes necessary due to changes in the factual or legal framework. The version published on our website is authoritative.

Should any changes require action on your part or should individual processing operations be permissible only on the basis of renewed consent, we will inform you separately about this.