Privacy Policy

General Notes

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. Detailed information on data protection can be found in the privacy policy below this text.

Data Collection on This Website

Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations as well as this privacy policy.

When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains which data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission on the internet (e.g. communication by email) may have security gaps. Complete protection of the data from access by third parties is not possible.

Data Protection for Children

Our services are not aimed at children under the age of 18. We do not knowingly collect personal data from children under 18.

If you learn that a child under 18 has provided us with personal data, please contact us. Should we discover that we have collected personal data from children under 18 without parental consent, we will delete this data from our servers without delay.

Legal Bases for Data Processing on This Website

If you have given consent, we process your personal data on the basis of Art. 6 (1) (a) GDPR. If your data is required to fulfil a contract or to carry out pre-contractual measures, the legal basis is Art. 6 (1) (b) GDPR. Where a legal obligation exists, Art. 6 (1) (c) GDPR applies. Processing may also be based on our legitimate interests (Art. 6 (1) (f) GDPR). The respective sections of this privacy policy inform you of the applicable legal basis in each individual case.

SSL and TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Vercel Hosting

Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA (Privacy Notice, Data Processing Addendum, Security/Compliance information).

Vercel is used to deliver this website (hosting, edge network/CDN, build infrastructure) and processes server log data (e.g. IP address, date/time, requested resource, referrer, user agent, status code) to ensure delivery, stability, security (e.g. DDoS mitigation) and error analysis. Server-side functions are configured for the Frankfurt, Germany (fra1 / eu-central-1) region. Content is delivered globally via Vercel’s edge network/CDN. This may result in transfers to third countries (especially the USA).

Vercel is certified under the EU-US Data Privacy Framework (DPF) (participant list, participant search). Transfers outside the EU/EEA are also based on Standard Contractual Clauses. Details can be found in the DPA.

Cloudflare CDN

Provider: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (Privacy Notice, Data Processing Addendum).

We use Cloudflare as a globally distributed content delivery network (CDN) and security proxy. Traffic between your browser and our website may be routed through Cloudflare servers. Cloudflare processes technical connection and log data (including IP address, user agent, timestamp, requested resource) to deliver content, provide caching, improve performance and prevent malicious traffic. Cloudflare may set technically necessary cookies or similar technologies for security purposes (no advertising or marketing use).

The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in secure and efficient provision). Where device access is required, this relies on Section 25 (2) no. 2 of the German TTDSG (technically necessary). Cloudflare is certified under the EU-US DPF (participant list, participant search). International transfers are based on appropriate safeguards.

Cookies

Our websites use so-called “cookies” or comparable technologies. Cookies do not harm your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted after your visit. Persistent cookies remain stored on your device until you delete them yourself or your browser deletes them automatically.

Cookies can have various functions. Technically necessary cookies are required to enable certain website functions (e.g. form submissions, security features, authentication for protected areas) or to store preferences (e.g. language/locale, theme choices, audio playback status). We currently do not use analytics or marketing cookies.

You can configure your browser to inform you when cookies are set and only allow cookies in individual cases, to exclude cookies in certain cases or in general, and to activate automatic deletion of cookies when the browser is closed. Disabling technically necessary cookies may limit the functionality of this website.

Where cookies are technically necessary, processing is based on Section 25 (2) no. 2 TTDSG and Art. 6 (1) (f) GDPR. Details (including lifetimes) can be found in our detailed cookie overview.

Server Log Files

The provider of our website (see the Hosting/CDN section – Vercel and Cloudflare) automatically collects and stores information in so-called server log files, which your browser automatically transmits. Among other things, these include:

• Browser type and browser version
• Operating system used
• Referrer URL
• Requested URL/request path
• Date and time of the server request
• IP address
• User agent and, where applicable, HTTP status code

This processing is required for technical operation, stability, security (e.g. DDoS protection, abuse detection) and error analysis.

This data is not merged with other data sources. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in the technical provision, security and optimisation of our online offering).

Log data is generally processed only for the purposes mentioned above and then deleted or anonymised. Depending on the hosting/CDN provider used, processing may take place via globally distributed servers. This may involve transfers to third countries (especially the USA). For details about the providers used and the safeguards in place, see the Hosting and CDN section.

Contact Form

When you send us enquiries via the contact form, the information you provide in the form, including the contact details you enter, is stored by us for the purpose of processing your enquiry and in case of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1) (b) GDPR if your enquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if it has been requested. Consent can be revoked at any time.

The data you enter in the contact form remains with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your enquiry has been processed). Mandatory statutory provisions (in particular retention periods) remain unaffected.

Enquiry by Email or Telephone

If you contact us by email or telephone, your enquiry, including all personal data resulting from it (name, enquiry), is stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1) (b) GDPR if your enquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if it has been requested. Consent can be revoked at any time.

The data you send to us as part of contact requests remains with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions (in particular statutory retention periods) remain unaffected.

Vercel Web Analytics

We use Vercel Web Analytics to obtain aggregated usage statistics for our website (e.g. page views, referrers, device/browser categories, country). Tracking takes place without cookies and without personal identifiers. Users are recognised via a hash derived from the incoming request. Session lifetimes are not stored permanently and are removed after 24 hours. Individual browsing sessions are not reconstructed and no cross-site identification takes place.

The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in analysing and optimising technical stability and performance). Further information: Vercel Web Analytics – Privacy & Compliance, Vercel Privacy Notice.

Vercel Speed Insights

We use Vercel Speed Insights to measure performance (Core Web Vitals) via real-user monitoring. For each measurement we collect route/URL, network speed, browser, device type, operating system, country (ISO code) and the respective Web Vital values including attribution. Recording is anonymous. No information is collected or stored that would allow identification of individual visitors, no cookies are set and sessions are not reconstructed.

The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in analysing and improving website performance). Further information: Vercel Speed Insights – Privacy & Compliance, Speed Insights – Overview.

Note: We configure the implementations so that no sensitive data (e.g. IDs, email addresses, tokens) is transmitted in events/URLs (redaction via beforeSend). See the linked developer documentation for details.

Contact Forms

When you contact us via our forms, we process the data you enter (e.g. name, email address, message text, timestamps and technical metadata) to handle your request and in case of follow-up questions. The legal bases are Art. 6 (1) (b) GDPR (contract/initiation) and Art. 6 (1) (f) GDPR (legitimate interest in efficient communication). Where consent is requested (e.g. for optional follow-ups), processing is based on Art. 6 (1) (a) GDPR.

For convenience, we may temporarily store unfinished form entries locally in your browser (local/session storage), e.g. name, email address or message text, so that input is not lost when navigating away. This draft data remains on your device and is only transmitted to us when you actively submit the form.

We store and manage form data in Supabase (processor). Supabase relies on the sub-processor Amazon Web Services (AWS) for its infrastructure. Depending on the project/infrastructure configuration, processing may take place in data centres within the EU or in third countries (especially the USA). We have concluded a data processing agreement with Supabase. International transfers are based on suitable safeguards (including Standard Contractual Clauses). Further information: Supabase Privacy, Supabase DPA.

Alternatively, you can reach us directly by email at feedback@sacro.agency.

Retention: Form submissions are stored beyond the actual processing of the request for documentation and evidence purposes, provided that no statutory retention obligations conflict with this. We review necessity regularly and delete or anonymise data as soon as the purpose no longer applies.

Internal Notifications

To ensure swift handling, we automatically forward selected form data as notifications to our internal communication tool Slack (incoming webhook). The recipient is Slack Technologies, LLC. Data is shared solely for internal processing of your request (no marketing).

The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in efficient team communication). We have a data processing agreement with Slack. International transfers (e.g. to the USA) are secured by Standard Contractual Clauses and participation in the EU-US Data Privacy Framework. Further information: Slack Privacy, Slack DPA, DPF list, DPF participant search.

Confirmation & Transactional Emails

We use Resend as a processor to send system emails (e.g. acknowledgements for form submissions, double opt-in emails). Data processed includes your email address, subject/content and technical delivery information (sent/delivered/bounce status). For low latency, messages are delivered via an EU region (e.g. eu-west-1, Ireland). Resend stores customer/log data in the USA. Transfers are safeguarded by Standard Contractual Clauses (SCC) in Resend’s DPA.

Legal bases: Art. 6 (1) (b) GDPR (contract/initiation) and Art. 6 (1) (f) GDPR (legitimate interest in reliable transactional communication). Resend holds, among others, SOC 2 Type II certification. Further information: Resend Privacy, Resend DPA, Resend GDPR.

Note on metrics: Events such as “sent”, “delivered”, “opened”, “clicked” and “bounce” are logged automatically by Resend and stored in our Supabase instance to monitor delivery quality and deliverability. No cross-person profiling takes place. For device-related technologies, see our cookie overview.

Newsletter

We use Resend for our newsletter. After you sign up, you will receive a confirmation email (double opt-in). Only after clicking the individual confirmation link do we add you to the mailing list and send the welcome newsletter.

For this process we store the email address provided, optional first name, language/locale, form source and a randomly generated confirmation token with an expiry date (currently 7 days). Tokens are marked as consumed after confirmation or expiry. The associated records are retained to meet statutory documentation obligations.

To prevent loss of progress before submission, newsletter form entries (e.g. email address and optional first name) may also be stored temporarily in your browser (local/session storage). This local draft data remains on your device until you submit the form or clear your browser storage/session.

Legal basis: Art. 6 (1) (a) GDPR (consent). For compliance and record-keeping we store subscription and unsubscription data for a reasonable period. Delivery and interaction events (e.g. sent/delivered/opened/clicked/bounce/unsubscribe) are captured automatically and stored in our Supabase instance to improve content and deliverability. You can object at any time via the unsubscribe link or by contacting us.

Service provider information: Resend Privacy, Resend DPA, Resend GDPR.