Privacy Policy
Preamble
With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to briefly as “data”) we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both within the scope of providing our services and in particular on our websites, in mobile applications as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).
The terms used are not gender-specific.
Status: 8 December 2025
Contents Overview
Preamble
Controller
Overview of Processing Activities
Relevant Legal Bases
Security Measures
Disclosure of Personal Data
International Data Transfers
General Information on Data Storage and Deletion
Rights of Data Subjects
Business Services
Provision of the Online Offering and Web Hosting
Use of Cookies
Blogs and Publication Media
Contact and Inquiry Management
Newsletter and Electronic Notifications
Web Analytics, Monitoring and Optimization
Social Network Presences (Social Media)
Plugins and Embedded Functions and Content
Amendment and Update
Controller
Meander Interactive UG (haftungsbeschränkt)
Winckelmannstr. 43
12487 Berlin
Germany
Email address: contact@meanderinteractive.com
Overview of Processing Activities
The following overview summarizes the types of processed data and the purposes of their processing and refers to the categories of data subjects.
Types of Processed Data
– Inventory data
– Employee data
– Payment data
– Contact data
– Content data
– Contract data
– Usage data
– Meta, communication and procedural data
– Log data
Categories of Data Subjects
– Service recipients and clients
– Employees
– Prospective customers
– Communication partners
– Users
– Business and contractual partners
– Third parties
Purposes of Processing
– Provision of contractual services and fulfillment of contractual obligations
– Communication
– Security measures
– Direct marketing
– Reach measurement
– Tracking
– Office and organizational procedures
– Audience formation
– Organizational and administrative procedures
– Feedback
– Marketing
– Profiles with user-related information
– Provision of our online offering and user-friendliness
– Information technology infrastructure
– Public relations
– Business processes and economic procedures
Relevant legal bases under the GDPR:
Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the GDPR, national data protection provisions may apply in your or our country of residence or business. Where more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.
– Consent (Art. 6(1)(1)(a) GDPR) – The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
– Contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
– Legal obligation (Art. 6(1)(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
– Legitimate interests (Art. 6(1)(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, fundamental rights or freedoms of the data subject requiring protection of personal data.
Security Measures
We take appropriate technical and organizational measures in accordance with the statutory requirements, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transfer, securing availability, and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data threats. We also take data protection into account already during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.
Securing online connections through TLS/SSL encryption technology (HTTPS):
To protect user data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the advanced and more secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.
Disclosure of Personal Data
Within the scope of our processing of personal data, it may occur that such data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of such data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with statutory requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
International Data Transfers
Data processing in third countries:
If we transmit data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this takes place in the context of the use of services by third parties or disclosure or transmission of data to other persons, entities, or companies (which can be recognized by the provider’s address or if the privacy policy explicitly refers to a data transfer to a third country), this is always done in accordance with legal requirements.
For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), recognized as a secure legal framework by an adequacy decision of the EU Commission dated 10 July 2023. In addition, we may conclude Standard Contractual Clauses with the respective providers, which comply with the EU Commission’s requirements and establish contractual obligations for the protection of your data.
This safeguards comprehensive protection of your data: the DPF forms the primary protection layer, while Standard Contractual Clauses serve as additional security. Should changes arise concerning the DPF, the Standard Contractual Clauses act as a reliable fallback. This ensures that your data remains properly protected even in the event of political or legal developments.
For data transfers to other third countries, corresponding protective measures apply, particularly Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found on the website of the EU Commission.
General Information on Data Storage and Deletion
We delete personal data that we process in accordance with statutory requirements as soon as the underlying consents are withdrawn or no other legal bases for processing exist. This concerns cases where the original processing purpose no longer applies or the data is no longer needed. Exceptions apply when statutory obligations or special interests require longer retention or archiving.
In particular, data that must be stored for commercial or tax law reasons or whose retention is necessary for legal enforcement or for the protection of the rights of other natural or legal persons must be archived accordingly.
Our privacy notices contain additional information on retention and deletion specific to certain processing activities.
If multiple retention periods or deletion deadlines are specified for a dataset, the longest period always applies. Data that is no longer required for the original purpose but must be stored due to legal requirements or other reasons will only be processed for the reasons justifying their retention.
Retention and Deletion of Data: General statutory retention periods under German law
– 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the working instructions and organizational documents necessary for their understanding.
– 8 years – Accounting records, such as invoices and cost receipts.
– 6 years – Other business documents, e.g., received and sent commercial or business letters, other tax-relevant documents.
– 3 years – Data for asserting, exercising, or defending claims according to the regular statute of limitations.
Start of retention period at year-end:
If a retention period does not explicitly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the triggering event occurred.
Rights of Data Subjects
As a data subject, you have various rights under the GDPR, particularly those arising from Articles 15 to 21 GDPR:
– Right to object
– Right to withdraw consent
– Right of access
– Right to rectification
– Right to erasure and restriction of processing
– Right to data portability
– Right to lodge a complaint with a supervisory authority
Right to lodge a complaint with a supervisory authority
You have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
Our competent authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61
10555 Berlin
Web: https://www.datenschutz-berlin.de/
Notice regarding the right to object under Art. 21 GDPR
Objection to processing based on legitimate interests:
If we process personal data based on Art. 6(1)(f) GDPR (legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation.
If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend legal claims.
Objection to direct marketing:
Where personal data is processed for direct marketing purposes, you may object to such processing at any time without giving reasons. In this case, personal data will no longer be processed for these purposes.
Business Services
We process data of our contractual and business partners (e.g., customers and prospective customers) within the scope of contractual or similar legal relationships and associated measures and with regard to communication with the contractual partners (or pre-contractually), for example to respond to inquiries.
We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any update obligations, and remedy in cases of warranty or other service disruptions. Furthermore, we use the data to safeguard our rights and for the administrative tasks and business organization associated with these obligations.
Types of processed data: Inventory data; payment data; contact data; contract data; usage data; meta, communication and procedural data.
Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; business processes and economic procedures.
Retention and deletion: According to “General Information on Data Storage and Deletion”.
Provision of the Online Offering and Web Hosting
We process users’ data in order to provide them with our online services. For this purpose, we process, in particular, users’ IP addresses, which are necessary to transmit the content and functions of our online services to the users' browser or device.
Types of processed data: Usage data; meta, communication and procedural data; log data.
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Provision of our online offering and user-friendliness; operation of information technology infrastructure; security measures.
Retention and deletion: According to “General Information on Data Storage and Deletion”.
Further notes on processing activities, procedures, and services:
Provision of online offering on rented hosting space (Wix):
To provide our online offering, we use the services of Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel (“Wix”).
Wix provides us with the platform for creating and hosting the website. The personal data collected in connection with the use of our online offering is processed on Wix’s servers. According to Wix, servers are located in the EU, Israel, and the USA. Israel has an EU adequacy decision; for other third countries, suitable safeguards (e.g., Standard Contractual Clauses) are used.
We have concluded a data processing agreement with Wix, in which Wix commits to compliance with European data protection law.
Further information on Wix’s data processing:
Wix processes personal data for purposes such as hosting, provision of technical infrastructure, security monitoring, as well as logging and analysis of system activity. Wix uses subprocessors (e.g., cloud service providers), which can be viewed at:
https://www.wix.com/about/subprocessors
Data may be processed in the following regions:
– European Union
– Israel (with EU adequacy decision)
– USA (under the EU–US Data Privacy Framework or based on Standard Contractual Clauses)
A data processing agreement according to Art. 28 GDPR is in place with Wix, ensuring the protection of your data.
Collection of access data and log files:
Access to our online offering is logged in the form of “server log files”. Log files may include the address and name of the accessed websites and files, date and time of access, transferred data volumes, notification of successful retrieval, browser type and version, operating system, referrer URL, and IP addresses. The log files serve security purposes (e.g., defense against attacks) and ensure system stability. Log file information is stored for a maximum of 30 days and then deleted or anonymized; data required as evidence is exempt from deletion until the incident is finally clarified.
Use of Cookies
Our website uses cookies and similar technologies. Cookies are small text files stored on your end device that may contain information.
We use the following categories:
1. Technically necessary cookies (without consent)
These cookies are required for the website to function. They include, among others:
– Ensuring basic functions (e.g., page navigation, form submission, spam protection)
– Session management (e.g., recognizing whether a user is logged in)
– Security functions (e.g., protection against CSRF attacks)
– Caching and performance optimization
These cookies are used on the basis of § 25(2) TTDSG and Art. 6(1)(f) GDPR.
2. Cookies requiring consent (currently not used)
We currently do not use cookies for statistical or marketing purposes.
If we use such technologies in the future (e.g., for video embedding, analytics, or advertising), we will obtain your consent in advance via our cookie banner.
Cookie banner (consent tool)
When visiting our website for the first time, you will be informed about the use of cookies. There you can give or refuse your consent.
You can change or withdraw your settings at any time in the banner.
Individual cookie information
A list of the cookies used can be viewed at any time in the cookie banner.
Blogs and Publication Media
We use blogs or similar online communication and publication tools (“publication media”). User data is processed for the purposes of presenting the publication media and for communication between authors and readers or for security reasons.
Types of processed data: Inventory data; contact data; content data; usage data; meta, communication and procedural data.
Data subjects: Users of our publication medium.
Purposes of processing: Provision of our online offering and userfriendliness; communication; security measures.
Retention and deletion: According to “General Information on Data Storage and Deletion”.
Comments and contributions:
When users leave comments or other contributions, their IP addresses may be stored on the basis of our legitimate interests. This serves our security in case someone posts unlawful content in comments or contributions. We may also process user-provided information for spam detection. Information provided within comments or contributions will be stored until users object, unless statutory retention obligations prevent deletion.
Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, telephone, or via social media), we process the information provided by the inquiring persons to the extent necessary to respond to their contact requests and any requested measures.
Types of processed data: Inventory data; contact data; content data; usage data; meta, communication and procedural data.
Data subjects: Communication partners.
Purposes of processing: Communication; organizational and administrative procedures; provision of our online offering and userfriendliness.
Retention and deletion: According to “General Information on Data Storage and Deletion”.
Contact form
When using our contact form, we process the data you enter (e.g., name, email address, message) in order to handle your inquiry.
Legal bases:
– Art. 6(1)(b) GDPR if the inquiry is directed at concluding or carrying out a contract.
– Art. 6(1)(f) GDPR based on our legitimate interest in efficiently handling general inquiries.
You may object to processing based on legitimate interests at any time (see “Right to Object”).
Newsletter and Electronic Notifications
We send newsletters, emails, and other electronic notifications (“newsletter”) only with the consent of recipients or based on a legal basis. Where newsletter contents are specified during the signup process, these contents are decisive for consent.
Generally, providing your email address is sufficient for newsletter registration. We may additionally request a name for personalized addressing.
Deletion and restriction of processing:
We may store unsubscribed email addresses for up to three years based on our legitimate interests to be able to prove previously granted consent. Earlier deletion is possible upon request, provided that former consent is confirmed. In cases requiring permanent consideration of objections, we may store the email address in a blocklist.
Logging of the signup process (e.g., double opt-in, timestamps of consent, IP address) takes place based on our legitimate interests for proof of proper procedure. If we commission a service provider for email dispatch, this is based on our legitimate interests in an efficient and secure system.
Contents:
Information about us, our services, promotions, and offers.
Types of processed data: Inventory data; contact data; meta, communication and procedural data; usage data (if analyzing opening and click behavior).
Data subjects: Newsletter recipients and other communication partners.
Purposes of processing: Direct marketing.
Opt-out option:
You may unsubscribe from the newsletter at any time, i.e., withdraw your consent or object to future receipt. A link to cancel the newsletter is included at the end of each newsletter, or you may use the contact details provided above.
If we analyze opening and click behavior (e.g., via tracking pixels), this is done solely based on your consent and serves optimization of our newsletter offering.
Web Analytics, Monitoring, and Optimization
Web analytics (also “reach measurement”) serves the evaluation of visitor flows on our online offering and may include behavior, interests, or demographic information such as age or gender as pseudonymized values.
Unless otherwise stated, pseudonymous profiles may be created and information may be stored or accessed in a browser or device. Data collected may include visited websites and elements used there, as well as technical information such as browser used, operating system, and usage times. IP addresses are generally processed only in truncated form (IP masking).
Notes on legal bases:
Where we ask users for their consent to use web analytics tools, consent is the legal basis. Otherwise, processing is based on our legitimate interests in a commercially viable and user-friendly design of our online offering.
Types of processed data: Usage data; meta, communication and procedural data.
Data subjects: Users.
Purposes of processing: Reach measurement; profiles with user-related information; provision of our online offering and userfriendliness.
Retention and deletion: According to “General Information on Data Storage and Deletion”.
Further notes on processing activities, procedures, and services:
Google Analytics
We use Google Analytics to analyze the use of our online offering.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google processes data as a processor pursuant to Art. 28 GDPR.
Data may be transferred to the USA. The basis is the EU–US Data Privacy Framework (DPF) and, where required, Standard Contractual Clauses.
We use Google Analytics with IP anonymization enabled, so your IP address is shortened within the EU or EEA.
Legal basis:
Your consent pursuant to Art. 6(1)(a) GDPR.
You may withdraw consent at any time via our cookie banner.
Retention period:
Data stored by Google Analytics is deleted or anonymized after 14 months unless configured otherwise.
Opt-out option:
You may additionally prevent data collection by installing the browser plugin:
https://tools.google.com/dlpage/gaoptout
Social Network Presences (Social Media)
We maintain online presences within social networks to communicate with users active there or to provide information about us.
We point out that user data may be processed outside the EU and that platform operators may carry out their own data processing (e.g., for market research or advertising), over which we have no influence. For detailed information on the respective processing and objection options, please consult the privacy policies of the respective networks.
Types of processed data: Contact data; content data; usage data.
Data subjects: Users of social networks.
Purposes of processing: Communication; public relations.
Plugins and Embedded Functions and Content
We integrate function and content elements into our online offering that are obtained from the servers of their respective providers (“third-party providers”). These may include graphics, videos, or maps.
Integration requires that third-party providers process users’ IP addresses, as the content cannot be sent to the browser otherwise. Third-party providers may also use pixel tags for statistical or marketing purposes.
Types of processed data: Usage data; meta, communication and procedural data.
Data subjects: Users.
Purposes of processing: Provision of our online offering and userfriendliness; reach measurement; marketing.
Retention and deletion: According to “General Information on Data Storage and Deletion”.
YouTube videos
We embed videos from the YouTube platform. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When accessing a page with embedded YouTube videos, your IP address and possibly additional usage data may be transmitted to YouTube/Google. Where possible, we use the “enhanced privacy mode”. The legal basis is your consent via our cookie banner.
Amendment and Update
We ask you to regularly review the content of our privacy policy. We update the privacy policy whenever changes in our data processing activities make this necessary. We will inform you when changes require an action on your part (e.g., consent) or another form of individual notice.