Privacy Policy

With this privacy policy, we inform you about how we handle your personal data and about your rights under the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications and Telemedia Data Protection Act (TTDSG).

Controller

The controller responsible for data processing is:

DÜS Eckert Spracheninstitut GmbH
Immermannstr. 65C
40210 Düsseldorf
Germany

Phone: +49 211 2718200
Email: mail@dues-eckert.de

Managing Director: Irina Eckert

Data Protection Officer

If you have questions about data protection, please contact us using the details provided above.

Legal Bases

The data protection term "personal data" refers to all information relating to an identified or identifiable natural person. We process personal data in compliance with the applicable data protection regulations, in particular the GDPR, the BDSG, and the TTDSG. We only process personal data on the basis of a legal permission. We process personal data only

• with your consent (Art. 6(1)(a) GDPR or § 25(1) TTDSG),
• for the performance of a contract to which you are a party or to carry out pre-contractual measures at your request (Art. 6(1)(b) GDPR),
• to comply with a legal obligation (Art. 6(1)(c) GDPR), or
• where processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data (Art. 6(1)(f) GDPR).

Duration of Storage

Unless otherwise stated in the following sections, we store data only for as long as is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law. From the end of the calendar year in which the data was collected, we will retain personal data contained in our accounting records for ten years and personal data contained in commercial correspondence and contracts for six years. We will also retain data related to provable consents and claims for the duration of the applicable statutory limitation periods. Data stored for advertising purposes will be deleted when you object to processing for this purpose.

In addition, the following retention periods apply to specific processing activities:

• Chat messages (Intercom): We retain chat conversations for the duration of processing your inquiry and for up to 12 months thereafter for quality assurance purposes.
• Contact forms (Tally): Form data is stored for the duration of processing your inquiry and subsequently deleted unless statutory retention obligations apply.

Categories of Data Recipients

We use data processors as part of our data processing activities. Processing activities carried out by such processors include, for example, hosting, maintenance and support of IT systems, customer and order management, accounting and billing, or destruction of files and data carriers. Processors do not use the data for their own purposes but carry out data processing exclusively on our behalf and are contractually obligated to ensure appropriate technical and organizational data protection measures.

We have concluded data processing agreements pursuant to Art. 28 GDPR with the following services:

• Webflow, Inc. (hosting)
• Cloudflare, Inc. (DNS/CDN)
• Intercom R&D Unlimited Company / Intercom, Inc. (chat)
• Tally BV (forms)
• Notion Labs, Inc. (data management)

We may also transmit your personal data to entities such as postal and delivery services, our bank, tax advisors/auditors, or the tax authorities. Additional recipients may result from the following sections.

Data Transfers to Third Countries

Visiting our website may involve the transfer of certain personal data to third countries, i.e., countries where the GDPR is not directly applicable law. In particular, we use services whose providers are based in the USA (Webflow, Inc.; Cloudflare, Inc.; Intercom, Inc.; Notion Labs, Inc.) or in Canada (Conva Ventures Inc. / Fathom Analytics).

Such a transfer is permissible where the European Commission has determined that an adequate level of data protection exists in the third country (adequacy decision). For the USA, an adequacy decision exists under the EU-U.S. Data Privacy Framework, provided the respective provider is certified thereunder. For Canada, an adequacy decision exists for the private sector.

Where no such adequacy decision applies, personal data is only transferred to a third country in the presence of appropriate safeguards pursuant to Art. 46 GDPR (in particular EU Standard Contractual Clauses) or where one of the conditions of Art. 49 GDPR is met.

Your Rights

As a data subject, you have the right to exercise your data protection rights against us. In particular, you have the following rights:

Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether we process personal data concerning you. If so, you have the right to access such personal data and to receive further information pursuant to Art. 15 GDPR.

Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.

Right to Erasure (Art. 17 GDPR)

You have the right to request that we erase personal data concerning you without undue delay where one of the grounds set out in Art. 17 GDPR applies, e.g., where the data is no longer necessary for the purposes for which it was collected.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your personal data where one of the conditions set out in Art. 18 GDPR applies, e.g., where you have objected to the processing.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent or a contract and is carried out by automated means.

Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, in accordance with Art. 21(1) GDPR.

Where personal data is processed for direct marketing purposes, you have the right to object to such processing at any time and without giving reasons, pursuant to Art. 21(2) and (3) GDPR.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw your consent at any time. The lawfulness of the processing carried out on the basis of consent prior to its withdrawal is not affected.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf
Kavalleriestr. 2–4, 40213 Düsseldorf
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
https://www.ldi.nrw.de

Processing When Exercising Your Rights

When you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transmitted for the purpose of implementing these rights and to be able to provide evidence thereof. The legal basis for this processing is Art. 6(1)(c) GDPR in conjunction with Art. 15 to 22 GDPR and § 34(2) BDSG.

Automated Decision-Making

Automated decision-making, including profiling, within the meaning of Art. 22 GDPR does not take place.

Data Processing on Our Website

When using our website, we collect information that you provide yourself. In addition, certain information about your use of the website is automatically collected during your visit. Under data protection law, the IP address is also generally considered personal data.

Server Log Files

When you use our website for informational purposes only, general information is automatically stored that your browser transmits to our server. This typically includes: browser type/version, operating system used, page accessed, previously visited page (referrer URL), IP address, date and time of the server request, and HTTP status code.

Processing is carried out to protect our legitimate interests and is based on Art. 6(1)(f) GDPR. This processing serves the technical administration and security of the website.

Hosting: Webflow

Our website is hosted on the Webflow platform, a service provided by Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. When you visit our website, Webflow automatically stores information in server log files that your browser transmits (see above). Webflow itself does not set its own cookies on hosted customer websites.

The legal basis for processing is Art. 6(1)(f) GDPR (legitimate interest in reliable and secure web hosting). Insofar as personal data is transferred to the USA, this is done on the basis of the EU-U.S. Data Privacy Framework or the EU Standard Contractual Clauses.

More information: https://webflow.com/legal/privacy

DNS and Content Delivery Network: Cloudflare

We use the Cloudflare service of Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, as a DNS service and Content Delivery Network (CDN). Cloudflare filters all traffic between your browser and our website. In doing so, Cloudflare may also process your IP address and other technical data.

For bot detection and protection against DDoS attacks, Cloudflare may set the __cf_bm cookie (storage duration: max. 30 minutes). This cookie is technically necessary to ensure the security of the website and falls under the exemption of § 25(2)(2) TTDSG; consent is not required.

The legal basis for processing is Art. 6(1)(f) GDPR (legitimate interest in the security and optimization of our website). Insofar as personal data is transferred to the USA, this is done on the basis of the EU-U.S. Data Privacy Framework or the EU Standard Contractual Clauses.

More information: https://www.cloudflare.com/privacypolicy/

Web Analytics: Fathom Analytics

To analyze the use of our website, we use Fathom Analytics, a service provided by Conva Ventures Inc. (Canada). Fathom Analytics is a privacy-friendly analytics service that does not set cookies and does not create individual user profiles. IP addresses are only processed transiently by Fathom on the server side and are immediately anonymized; no personal data is stored. Analysis is based exclusively on anonymized and aggregated data.

Since Fathom Analytics does not store or access any information on your device, consent under § 25 TTDSG is not required. As a precautionary measure, we base the server-side processing of access data on Art. 6(1)(f) GDPR (legitimate interest in the anonymized analysis of website usage). For Canada, an adequacy decision of the European Commission exists for the private sector.

More information: https://usefathom.com/legal/privacy

Content Delivery Network: jsDelivr

On some pages of our website, JavaScript libraries (e.g., Swiper for carousel displays) are loaded via the public Content Delivery Network jsDelivr (operated by Volentio JSD d.o.o., Croatia). When loading these libraries, your IP address is transmitted to jsDelivr's servers. jsDelivr does not set cookies and does not store personal data. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the reliable delivery of website functionality). Croatia is an EU member state; no third-country transfer takes place.

More information: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net

Live Chat: Intercom

We use the Intercom chat service on our website, operated by Intercom R&D Unlimited Company (Ireland) and Intercom, Inc. (USA). Intercom allows you to contact us directly via a chat widget on our website.

Intercom may set the following cookies: intercom-id-* (anonymous visitor ID, 270 days), intercom-session-* (session cookie, 1 week), and intercom-device-id-* (device ID, 270 days). These cookies are only set when you actively use the chat (i.e., when you open the chat widget). The storage serves to provide the chat service you have requested and is classified as technically necessary pursuant to § 25(2)(2) TTDSG; consent is not required.

When you use the chat, we process the data you enter (e.g., name, email address, message content) for the purpose of responding to your inquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) or Art. 6(1)(f) GDPR (legitimate interest in communicating with prospects and customers).

Insofar as personal data is transferred to the USA, this is done on the basis of the EU-U.S. Data Privacy Framework or the EU Standard Contractual Clauses.

More information: https://www.intercom.com/legal/privacy

Messaging via WhatsApp (via Intercom)

Through our Intercom chat, you can also communicate with us via the messaging service WhatsApp. WhatsApp is operated by WhatsApp Ireland Limited (Ireland) and WhatsApp LLC (USA), both subsidiaries of Meta Platforms, Inc.

When you contact us via WhatsApp, we process your phone number, message content, and metadata (e.g., timestamps). In addition, WhatsApp (Meta) processes further data as an independent controller in accordance with its own privacy policy. We have no influence over the nature and extent of data processed by WhatsApp (Meta).

The legal basis for our processing is Art. 6(1)(f) GDPR (legitimate interest in communicating via channels preferred by our users). The use of WhatsApp is voluntary; you can always reach us via the contact form, email, or phone.

More information: https://www.whatsapp.com/legal/privacy-policy-eea

Forms: Tally

For certain forms on our website, we use the Tally service provided by Tally BV (Belgium). When you fill out such a form, the data you enter is processed by Tally and forwarded to us.

All fields marked as mandatory are required to process your request. Failure to provide this data means we cannot process your inquiry. Providing additional data is voluntary.

If your inquiry relates to the conclusion or performance of a contract with us, Art. 6(1)(b) GDPR is the legal basis. Otherwise, we process the data on the basis of our legitimate interest in communicating with inquiring persons. The legal basis is then Art. 6(1)(f) GDPR.

More information: https://tally.so/help/privacy-policy

Data Management: Notion

For internal administration and organization, we use the Notion service provided by Notion Labs, Inc. (USA). Personal data collected via our website (e.g., contact inquiries, form entries) may be processed in Notion.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient internal organization). Insofar as personal data is transferred to the USA, this is done on the basis of the EU-U.S. Data Privacy Framework or the EU Standard Contractual Clauses.

More information: https://www.notion.so/privacy

Automation: N8N

For the automated processing of form inquiries and other business processes, we use the automation service N8N. N8N acts as a data processor on our behalf and processes personal data (e.g., contact data from form submissions) exclusively according to our instructions. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the efficient handling of inquiries).

Job Listings: join.com

Current job listings are displayed on our website via a JavaScript widget from the join.com service provided by JOIN Solutions AG (Berlin, Germany). The job listings are loaded directly into our website; in doing so, your IP address is transmitted to the servers of JOIN Solutions AG (join.com, widget.join.com, cdn.join.com). The widget does not set cookies.

Applications are processed exclusively via the join.com platform and not via our website. For the processing of personal data in the course of the application process, JOIN Solutions AG acts as a data processor on our behalf.

The legal basis for embedding the job listings is Art. 6(1)(f) GDPR (legitimate interest in displaying job offerings). For the processing of applicant data, Art. 6(1)(b) GDPR (pre-contractual measures in the employment context) is the legal basis. Application documents of rejected applicants are deleted no later than six months after the conclusion of the application process, unless explicit consent to longer storage has been given.

More information: https://join.com/privacy-policy

Cookies and Similar Technologies

Cookies are small text files stored by your browser when you visit a website.

Our website uses only technically necessary cookies that are required for the operation of the website or for providing a service you have explicitly requested. For such cookies, consent is not required pursuant to § 25(2)(2) TTDSG.

Specifically, the following technically necessary cookies may be set:

• __cf_bm (Cloudflare): Bot detection and DDoS protection — Storage: Max. 30 min.
• _cfuvid (Cloudflare): Session management and rate limiting — Storage: Session
• intercom-id-* (Intercom): Anonymous visitor ID (chat use only) — Storage: 270 days
• intercom-session-* (Intercom): Session management (chat use only) — Storage: 1 week
• intercom-device-id-* (Intercom): Device identification (chat use only) — Storage: 270 days

We do not use a consent management tool (cookie banner) on our website, as we do not use any cookies or comparable technologies that require consent.

Data Processing on Our Social Media Pages

We maintain company pages on several social media platforms to provide additional opportunities for information about our company and for exchange. Our company has pages on the following platforms:

• Facebook (Meta Platforms Ireland Limited, Ireland)
• Instagram (Meta Platforms Ireland Limited, Ireland)
• LinkedIn (LinkedIn Ireland Unlimited Company, Ireland)

When you visit or interact with one of these profiles, personal data about you may be processed.

Facebook and Instagram Page

When you visit our Facebook or Instagram page, certain information about you is processed. The sole controller for this processing is Meta Platforms Ireland Limited (Ireland — "Meta"). Further information about the processing of personal data by Meta can be found at https://www.facebook.com/privacy/explanation. Meta offers the possibility to object to certain data processing activities; relevant information and opt-out options can be found at https://www.facebook.com/settings?tab=ads.

Meta provides us with anonymized statistics and insights for our Facebook and Instagram pages, which give us knowledge about the types of actions that people take on our page (so-called "Page Insights"). This processing of personal data is carried out by Meta and us as joint controllers pursuant to Art. 26 GDPR. Meta is primarily responsible for the processing of Insights data after collection. Data subject rights can be exercised both against us and against Meta. The processing serves our legitimate interest in evaluating the actions taken on our page and improving our page based on these insights. The legal basis is Art. 6(1)(f) GDPR.

We cannot attribute the information obtained through Page Insights to individual profiles. Details about the joint controllership agreement can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data.

Please note that, according to Meta's privacy policies, user data may also be processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision of the European Commission exists pursuant to Art. 45 GDPR or on the basis of appropriate safeguards pursuant to Art. 46 GDPR.

LinkedIn Company Page

For the processing of personal data when visiting our LinkedIn page, LinkedIn Ireland Unlimited Company (Ireland — "LinkedIn") is generally the sole controller. Further information can be found at https://www.linkedin.com/legal/privacy-policy.

When you visit our LinkedIn company page, follow this page, or engage with it, LinkedIn processes personal data to provide us with anonymized statistics and insights (so-called "Page Insights"). For this purpose, LinkedIn processes in particular data that you have already provided to LinkedIn via your profile, such as information about your role, country, industry, seniority, company size, and employment status. In addition, LinkedIn processes information about how you interact with our company page.

This processing is carried out by LinkedIn and us as joint controllers pursuant to Art. 26 GDPR. The processing serves our legitimate interest in evaluating the actions taken on our LinkedIn company page and improving it based on these insights. The legal basis is Art. 6(1)(f) GDPR. The joint controllership agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum.

You can exercise your data subject rights both against us and against LinkedIn. You can contact the Data Protection Officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You also have the right to lodge a complaint with the competent supervisory authority, e.g., the Irish Data Protection Commission (https://www.dataprotection.ie) or any other competent supervisory authority.

Please note that, according to LinkedIn's privacy policies, personal data may also be processed in the USA or other third countries. LinkedIn only transfers personal data to countries for which an adequacy decision exists pursuant to Art. 45 GDPR or on the basis of appropriate safeguards pursuant to Art. 46 GDPR.

Comments and Direct Messages

We process information that you provide to us via our company pages on the respective social media platforms. Such information may include the username used, contact details, or a message to us. We process this data on the basis of our legitimate interest in communicating with inquiring persons. The legal basis is Art. 6(1)(f) GDPR. Additional processing may occur if you have given consent (Art. 6(1)(a) GDPR) or if it is necessary to comply with a legal obligation (Art. 6(1)(c) GDPR).

Changes to This Privacy Policy

We reserve the right to amend this privacy policy at any time to ensure it always complies with current legal requirements or to reflect changes in our services. The new privacy policy will apply to your next visit.

Last updated: March 24, 2026