LEGAL

Privacy

Last updated: 2026-04-26

1. Controller

The controller responsible for the processing of personal data within the meaning of the GDPR is:

Frank Bartels
Agentur für Digitales und Innovation
Erich-Weinert-Straße 51
10439 Berlin
Germany
Email: gdpr@thedigitalagency.io
(general: hello@thedigitalagency.io)

2. General principles

We process personal data only as far as necessary to provide a functional website, our content and our services, and only on a legal basis pursuant to Art. 6(1) GDPR. We do not use tracking cookies and do not sell data to third parties.

3. Server logs

When you access our website, technically required access data are processed (IP address, date/time, requested URL, referrer, user-agent). This data is used to ensure stable, secure operation and to detect abuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation). IP addresses are processed only for a short time and are not permanently linked to other data.

4. Hosting and delivery

The website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA, with EU-region routing (Frankfurt am Main). A data processing agreement (DPA) under Art. 28 GDPR is in place. Any data transfers to the US are based on the EU-US Data Privacy Framework (DPF) and additionally on Standard Contractual Clauses (SCC).

5. Domain registrar

Our domain is managed by GoDaddy.com, LLC, 2155 E. GoDaddy Way, Tempe, AZ 85284, USA. Personal data is only processed in the context of DNS resolution. DPF and SCCs apply.

6. Content management (CMS)

Editorial content (Insights, copy, media) is managed in Sanity (Sanity AS, Norway, with an EU data location). Sanity processes the editorial content and, where applicable, the login data of editors. End-user data is not captured via Sanity. A DPA under Art. 28 GDPR is in place.

7. Newsletter (Brevo)

When you sign up for our newsletter, we transmit your email address, the optional industry selection, the date of registration and the language to our delivery provider Brevo (Sendinblue GmbH, Köhlstraße 10, 50827 Cologne, Germany). A DPA under Art. 28 GDPR is in place. Brevo uses EU servers.

Registration uses a double opt-in procedure: after entering your email you receive a confirmation email and must click the contained link before you are subscribed.

Legal basis is your consent under Art. 6(1)(a) GDPR. You can withdraw your consent at any time, e.g. via the unsubscribe link in every newsletter or by emailing gdpr@thedigitalagency.io. On withdrawal we delete your data from the newsletter distribution list.

8. Newsletter spam protection (Cloudflare Turnstile)

We use Cloudflare Turnstile (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA) on our newsletter form to prevent bot abuse. Turnstile generates a cryptographic challenge token in the background from technical browser signals and is explicitly designed as a cookie-free alternative to reCAPTCHA. Personal data is not transmitted for advertising purposes. Legal basis is our legitimate interest in protecting form submissions from spam bots (Art. 6(1)(f) GDPR). A DPA is in place. Data transfers to the US are based on DPF and SCCs.

9. Business email (Microsoft 365)

Inbound and outbound emails to hello@thedigitalagency.io and aliases are processed via Microsoft 365 / Exchange Online (Microsoft Ireland Operations, One Microsoft Place, Carmanhall and Leopardstown, Dublin 18, Ireland). EU data residency, DPA in place. Legal basis: Art. 6(1)(b) and (f) GDPR.

10. Self-Audit (third-party iframe)

On the page /audit we embed an external audit application by Emergent.sh via iframe. Any input you make inside the iframe is transmitted directly to Emergent.sh — we ourselves do not see your inputs in cleartext. Please also see the privacy notice on the audit page itself. Legal basis for embedding is our legitimate interest in providing a low-friction first-contact audit (Art. 6(1)(f) GDPR).

11. Cookies

We do not set marketing or tracking cookies. Cookies may be set in the following technically necessary contexts:

  • Vercel may set essential cookies for session security and DDoS mitigation (technically required, no consent needed under §25(2) TDDDG).
  • Cloudflare Turnstile sets a short-lived challenge token on the newsletter form — not a classical tracking cookie.
  • The embedded audit iframe may set its own cookies — these are the responsibility of Emergent.sh.

See /cookies for a detailed overview.

12. International data transfers

Some of the services listed above (Vercel, Cloudflare, GoDaddy) are headquartered in the US. Where personal data is transferred to the US, this is done on the basis of (a) the EU-US Data Privacy Framework (DPF) — where the provider is certified — additionally (b) the EU Standard Contractual Clauses (SCC), and (c) provider-side technical and organisational safeguards.

13. Retention periods

We store personal data only for as long as necessary for the purposes stated above or until the expiry of statutory retention obligations (in particular German tax and commercial law for business correspondence and invoice data: up to 10 years). We delete newsletter subscription data on withdrawal of consent.

14. Your rights as a data subject

You have the right to:

  • Access your data (Art. 15 GDPR)
  • Correct inaccurate data (Art. 16 GDPR)
  • Erase your data (Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing based on legitimate interest (Art. 21 GDPR)
  • Withdraw consent (Art. 7(3) GDPR)

For requests, please contact: gdpr@thedigitalagency.io.

15. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority at any time. The competent authority for us is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin, Germany (datenschutz-berlin.de).

16. Changes to this policy

We update this policy when the legal landscape, our processors or the website's functionality changes. The version available at the time of your visit applies.