Privacy Policy

Note: This is an English translation provided as a courtesy. The legally binding version under German and EU law is the German Datenschutzerklärung.

Preamble

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data we carry out, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Last updated: 3 May 2026

Table of contents

Controller

Alejandro Gutierrez Cornelio
AGC Consult
Friedenstraße 59
97072 Würzburg
Germany

Email: contact@agcconsult.com

Phone: +49 151 53670130

Imprint: https://agcconsult.com/impressum.html

Overview of processing activities

The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

Categories of data subjects

Purposes of processing

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If, in individual cases, more specific legal bases apply, we will inform you of these in the privacy policy.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include in particular the Federal Data Protection Act (BDSG). The BDSG contains special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Security measures

We take appropriate technical and organisational measures in accordance with statutory requirements, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

Measures include in particular safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to it, input, transmission, ensuring availability, and its segregation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also take the protection of personal data into account during the development and selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Securing online connections via TLS/SSL encryption (HTTPS): To protect the user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signalled by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

Transmission of personal data

In the course of our processing of personal data, it may happen that the data is transmitted to or disclosed to other entities, companies, legally independent organisational units, or persons. Recipients of this data may include, for example, IT service providers commissioned with such tasks or providers of services and content embedded in a website. In such cases, we comply with statutory requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies (which is recognisable from the postal address of the respective provider or if the privacy policy expressly refers to data transfer to third countries), this is always done in accordance with statutory requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognised as a secure legal framework by an adequacy decision of the EU Commission dated 10 July 2023. In addition, we have concluded standard contractual clauses with the respective providers, which comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual safeguarding ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should there be changes within the DPF framework, the standard contractual clauses act as a reliable fallback. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes.

In the case of individual service providers, we will inform you whether they are certified under the DPF and whether standard contractual clauses are in place. You can find further information on the DPF and a list of certified companies on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, corresponding security measures apply, in particular standard contractual clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found on the EU Commission's website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

General information on data storage and deletion

We delete personal data that we process in accordance with statutory provisions as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if statutory obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing operations.

Where there are several specifications regarding the retention period or deletion deadlines for a given piece of data, the longest period shall apply. Data that is no longer retained for the originally intended purpose, but rather due to legal requirements or other reasons, is processed exclusively for the reasons that justify its retention.

Retention and deletion of data: The following general retention and archiving periods apply under German law:

Period begins at end of year: If a period does not expressly start on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships under which data is stored, the triggering event is the time at which the termination becomes effective or the legal relationship is otherwise terminated.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

Commercial services

We process the personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers, and other cooperation partners (collectively "contractual partners"), for the initiation, execution, and processing of contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken on request, as well as communication in connection with the respective contractual relationship.

The processing serves in particular to fulfil our principal and ancillary contractual obligations. This includes the provision of the agreed services, any update and information obligations, the handling of warranty and other performance disturbances, the processing of cancellations, terminations of long-term obligations, reversals, refunds, and the handling of other contract-related declarations and inquiries. Both one-off contracts and ongoing contractual relationships are covered.

In particular, we process master data such as name, address, and any company name, contact data such as email address and telephone number, contract and service data such as the subject of the contract, contract duration, order or transaction number, usage and service data, payment and billing data, as well as communication content and history. Where necessary, we also process data disclosed or transmitted to us in the context of the execution of an order.

In addition, we process the data to safeguard our rights and to fulfil legal obligations. This includes in particular commercial and tax law retention obligations, documentation obligations, and any obligations to provide evidence and accountability. Furthermore, processing takes place on the basis of our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as the protection of our business operations and our contractual partners against misuse, endangerment of data, secrets, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other vicarious agents, insofar as this is necessary for the execution of the contract or the fulfilment of legal obligations.

Personal data is only passed on to third parties to the extent necessary for the performance of the contract, the implementation of pre-contractual measures, the protection of legitimate interests, or the fulfilment of legal obligations. Any further processing, in particular for marketing purposes, is communicated separately within the framework of this privacy policy.

We will inform contractual partners of which data is required in individual cases as part of data collection, e.g. in online forms by appropriate marking or in personal contact.

The data is deleted as soon as it is no longer required for the aforementioned purposes and no statutory retention obligations stand in the way. Statutory retention periods, in particular under commercial and tax law, may require longer storage. Data transmitted in connection with a specific order is deleted by us after completion of the order and expiration of any retention periods, provided there are no further legal or contractual obligations to store it.

The legal basis for processing is Art. 6 (1) lit. b GDPR for the implementation of pre-contractual measures and the fulfilment of the respective contractual relationship, and Art. 6 (1) lit. c GDPR for the fulfilment of legal obligations. Where the processing is based on legitimate interests, it takes place on the basis of Art. 6 (1) lit. f GDPR. Where processing is based on Art. 6 (1) lit. f GDPR, it serves the protection of our legitimate interests in proper and efficient business organisation, the internal administration and documentation of business transactions, the enforcement and defence of legal claims, ensuring IT and data security, the prevention of misuse and fraud, and the economic management and further development of our business operations.

Further information on processing operations, procedures, and services:

Provision of the online offering and web hosting

We process user data in order to be able to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Further information on processing operations, procedures, and services:

Hosting and infrastructure provider in use: Cloudflare

For hosting and provision of our online offering, we use the services of Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA (hereinafter "Cloudflare"). Cloudflare is used by us for several interconnected functions:

Each time our online offering is accessed, technically necessary data is processed via the Cloudflare infrastructure, in particular the IP address, the user-agent (browser type and version), the referrer (previously visited page), the date and time of access, and the transmitted data volume.

Third-country transfer: Data processing takes place in part on servers in the USA. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). In addition, we have concluded a data processing agreement (standard contractual clauses) with Cloudflare.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in stable, secure, and performant provision of the online offering).

Provider's privacy policy: https://www.cloudflare.com/privacypolicy/

Data Processing Agreement (DPA): https://www.cloudflare.com/cloudflare-customer-dpa/

Use of cookies

The term "cookies" refers to functions that store information on users' devices and read information from them. Cookies can also be used in connection with various concerns, e.g. for purposes of functionality, security, and convenience of online offerings, as well as the creation of analyses of visitor flows. We use cookies in accordance with statutory provisions. Where required, we obtain users' prior consent. If consent is not necessary, we rely on our legitimate interests. This applies if storing and reading information is essential to be able to provide expressly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about the scope of consent and which cookies are used.

Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is given, it serves as a legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

General notes on revocation and objection (opt-out): Users can revoke consents they have given at any time and also object to processing in accordance with statutory requirements, including via their browser's privacy settings.

Cookies actually used

This website uses exclusively one technically necessary cookie:

Name Purpose Storage period Type
agc_lang Storage of the language selected by the user (German / English) so that the language choice is preserved on subsequent visits. 30 days First-party cookie, technically necessary

Consent is not required for this under § 25 (2) no. 2 TTDSG (German Telecommunications-Telemedia Data Protection Act), as the cookie is strictly necessary for the provision of a service expressly requested by the user (language switching). No tracking, analytics, or advertising cookies are set. You can delete the cookie at any time via your browser's privacy settings.

Contact and inquiry management

When you contact us (e.g. by post, contact form, email, telephone, or via social media) and within existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to respond to the contact inquiries and any requested measures.

Further information on processing operations, procedures, and services:

Specific processing via our contact form

Via the contact form on agcconsult.com, we process the following information:

The form additionally contains a hidden field ("honeypot") for the automatic detection and prevention of spam bots. No external CAPTCHA system is used.

Data flow: After submission, the entries are first transmitted in encrypted form (HTTPS) to a Cloudflare Worker. This validates the data, checks the honeypot field, and then hands over email sending to the service provider Resend (Resend, Inc., 2261 Market Street #4242, San Francisco, CA 94114, USA). The recipient address contact@agcconsult.com is forwarded via Cloudflare Email Routing to our personal mailbox.

Third-country transfer: Processing via Cloudflare and Resend takes place in part in the USA. Both providers are certified under the EU-US Data Privacy Framework; in addition, standard contractual clauses are in place.

Storage period: We store the transmitted data for as long as is necessary to process your inquiry. If a contractual relationship subsequently arises, the commercial and tax law retention periods apply (see section "General information on data storage and deletion").

Legal bases: Art. 6 (1) lit. b GDPR (initiation of a contractual relationship) and Art. 6 (1) lit. f GDPR (legitimate interest in efficient processing of inquiries).

Email sending service provider in use – Resend: Resend is used exclusively for the technical sending of emails received via the contact form to our own mailbox. A data processing agreement (DPA) has been concluded with Resend.

Resend privacy policy: https://resend.com/legal/privacy-policy

Resend Data Processing Agreement: https://resend.com/legal/dpa

Presence on social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We point out that user data may be processed outside the European Union. This may give rise to risks for users, as it could, for example, make it more difficult to enforce user rights.

Furthermore, the data of users within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on the user behaviour and the resulting interests of the users. The latter may in turn be used to display advertisements within and outside the networks that presumably correspond to the interests of the users. For this purpose, cookies are usually stored on the users' computers, in which the usage behaviour and interests of the users are stored. In addition, data can be stored in the usage profiles regardless of the devices used by the users (in particular if they are members of the respective platforms and are logged in there).

For a detailed presentation of the respective forms of processing and the possibilities of objection (opt-out), we refer to the privacy policies and information of the operators of the respective networks.

Even in the case of inquiries about information and the assertion of data subject rights, we point out that these can be most effectively asserted with the providers. Only the latter have access to user data and can take corresponding measures and provide information directly. If you nevertheless need help, you can contact us.

Further information on processing operations, procedures, and services:

Links to external websites

Our privacy policy and our imprint contain references to third-party websites, such as supervisory authorities, EU platforms, the privacy policies of our service providers, and the sources of our legal texts (license attributions). When you click on such a link, you are redirected to the respective external website, whereby your IP address and browser information are transmitted to the provider of that website.

We have no influence on the data processing taking place there. The respective privacy policies of the external providers apply. Automatic transmission of your data to these entities does not take place when our website is merely accessed.

Changes and updates

We ask you to inform yourself regularly about the content of our privacy policy. We adapt the privacy policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require any cooperation on your part (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and please verify the information before contacting us.

Competent supervisory authority

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Internet: https://www.lda.bayern.de

Definitions

In this section, you will find an overview of the terms used in this privacy policy. Insofar as the terms are legally defined, their statutory definitions apply. The following explanations, on the other hand, are intended primarily to aid understanding.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke

← Back to home