Privacy Policy

1. Data Controller

The controller responsible for data processing on this website is:

2. Overview of Data Processing

The following overview summarises the types of data processed and the purposes for which they are processed.

Types of data processed

• Inventory data (first name, last name, company, job title)
• Contact data (email address)
• Content data (entries in online forms, assessment answers)
• Usage data (pages visited, interest in content, access times, tool interactions)
• Meta and communication data (IP addresses, device information, browser type, referrer URL)

Categories of data subjects

• Visitors and users of the website
• Individuals who submit an enquiry via the contact form
• Individuals who complete an interactive assessment (AI Operating Model Maturity Assessment, AI Governance Readiness Check)

Purposes of processing

• Provision and technical operation of the website
• Responding to contact enquiries and providing requested information
• Delivery of assessment results and follow-up communication
• Reach measurement and marketing analytics
• Security and fraud prevention

3. Legal Bases

The following provides an overview of the legal bases of the GDPR on which we process personal data.

• Consent (Art. 6(1)(a) GDPR) — where you have given consent to the processing of your personal data for one or more specific purposes (e.g. cookies, analytics, assessment forms).
• Contract performance (Art. 6(1)(b) GDPR) — where processing is necessary for the performance of a contract or to take steps prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) — where processing is required to comply with a legal obligation, e.g. tax and commercial retention duties.
• Legitimate interests (Art. 6(1)(f) GDPR) — where processing is necessary for the purposes of legitimate interests pursued by us or a third party, unless overridden by your interests or fundamental rights.

4. Hosting & Server Log Files — IONOS

This website is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. When you visit our website, our server (operated by IONOS) automatically collects and stores information in so-called server log files, which your browser transmits to us. This information includes:

• Anonymised IP address of the requesting device
• Date and time of the request
• URL of the requested resource and HTTP status code
• Referrer URL and user agent (browser, operating system)

These log files are not combined with other data sources and are processed for the purpose of operating, securing and optimising our website. Log files are typically deleted or anonymised within 14 days, unless retention is required to investigate a specific security incident.

The use of IONOS is based on Art. 6(1)(f) GDPR. We have concluded a Data Processing Agreement (DPA) with IONOS. See: IONOS Privacy Policy.

5. Cookies & Consent — Complianz

Our website uses cookies. We use Complianz as our consent management platform. Complianz records your cookie preferences and ensures that no tracking cookies are set until you have given your consent.

You can withdraw or adjust your cookie consent at any time via the cookie settings in the footer. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in documenting consent).

6. Google Tag Manager

We use Google Tag Manager, a tag management solution provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager itself does not set cookies and does not collect personal data. It only fires tags for which consent has been granted via our consent management platform. Legal basis: Art. 6(1)(f) GDPR.

7. Google Analytics 4

We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited. GA4 uses cookies to analyse how visitors use our website. The information generated is transmitted to Google servers and stored there.

IP anonymisation

We have enabled IP anonymisation. Your IP address will be truncated by Google within the EU before transmission.

Legal basis and consent

GA4 is only activated after you have given explicit consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR. Google LLC is certified under the EU-US Data Privacy Framework.

8. HubSpot — CRM & Tracking

We use HubSpot, a CRM and marketing platform provided by HubSpot Ireland Limited, 1 Sir John Rogerson’s Quay, Dublin 2, Ireland. HubSpot serves as the central system for managing contact enquiries, assessment leads and customer communication.

HubSpot Tracking

HubSpot places a tracking cookie (hubspotutk) on your device to recognise returning visitors and associate website behaviour with contact records once a form has been submitted. This tracking only activates after you have given consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR.

HubSpot CRM

All form submissions on this website (contact form and assessment gates — see Section 9) are transmitted to and stored in HubSpot CRM. HubSpot is certified under the EU-US Data Privacy Framework. We have concluded a DPA with HubSpot. Legal basis for form data: Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR.

9. Interactive Tools & Assessments

We offer three free interactive tools on this website. They are embedded as iframes (technically hosted in our WordPress environment) and available in German and English. The following section describes what each tool processes.

9.1 AI Operating Model Framework (interactive guide)

The interactive Framework explainer is a knowledge resource. It does not contain a form, does not require entering any personal data and does not transmit personal data to any third party. Only the website-wide processing applies (hosting, analytics if consented).

9.2 AI Operating Model Maturity Assessment

This tool asks 18 questions across six domains to produce a maturity profile. The questions themselves do not collect personal data — they are answered using anonymous scale ratings. Before the results are displayed, you are asked to fill in a lead-capture form (“gate”).

A consent checkbox is required to submit the form. We use this data exclusively to (a) display your assessment results, (b) deliver a personalised PDF report if requested, and (c) — only if you have given consent — contact you about HandsOn services. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (pre-contractual steps).

9.3 AI Governance Readiness Check

This tool asks scope and assessment questions oriented around the EU AI Act (Regulation (EU) 2024/1689) to produce a compliance readiness profile across seven dimensions. As with the Maturity Assessment, results are gated behind a lead-capture form.

The assessment answers are not used to make any automated decisions with legal or significant effect on you (Art. 22 GDPR). They serve solely to display your individual readiness profile and to inform any subsequent consultative conversation. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (pre-contractual steps).

10. Contact Form & Email Communication

When you submit an enquiry via our contact form or contact us by email, we process the personal data you provide (e.g. first name, last name, email, company, message) for the purpose of handling your request and any follow-up communication. Submissions are stored in HubSpot CRM (see Section 8).

Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps) and Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). Providing this data is voluntary; without it we cannot respond to your enquiry.

11. RankMath SEO

We use RankMath, an SEO plugin provided by MyThemeShop LLC, to optimise the technical SEO of our website (meta tags, structured data, sitemaps). RankMath processes data exclusively within our WordPress installation and does not transmit personal visitor data to external servers during normal operation.

12. WordPress & Kadence Theme

This website is built on WordPress (open-source CMS). WordPress itself does not collect personal data from visitors beyond what is inherent to server operation (log files processed by IONOS — see Section 4). The Kadence Theme and Kadence Blocks plugin are used for layout and design. These plugins do not process personal visitor data.

13. Data Retention

We only store personal data for as long as necessary for the purposes described in this policy, or as required by statutory retention obligations:

• Server log files: up to 14 days, then deleted or anonymised.
• Cookie consent records (Complianz): up to 12 months from the date consent was given or refused.
• Google Analytics 4 event data: retention configured to the platform minimum (currently 2 months) unless a longer period is necessary for analysis.
• Contact form & assessment submissions (HubSpot CRM): stored for the duration of the business relationship; deleted upon request or no later than three years after the last contact, unless statutory retention periods (e.g. § 257 HGB, § 147 AO — up to 10 years) apply.
• HubSpot tracking cookie (hubspotutk): up to 13 months from the last interaction.

14. Data Transfers Outside the EU/EEA

Some of our service providers (notably Google LLC and HubSpot Inc.) are based in the United States or may process data there. For these transfers we rely on:

• the EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023), under which both Google LLC and HubSpot Inc. are certified; and
• EU Standard Contractual Clauses (Art. 46 GDPR) plus supplementary measures where applicable.

15. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you in the sense of Art. 22 GDPR. The scoring produced by our interactive assessments serves orientation purposes only and is not used to make any binding decisions about you.

16. Your Rights under the GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — Obtain confirmation of whether and how your data is processed.
• Right to rectification (Art. 16 GDPR) — Have inaccurate personal data corrected without undue delay.
• Right to erasure (Art. 17 GDPR) — Have your personal data erased where one of the grounds in Art. 17 applies.
• Right to restriction (Art. 18 GDPR) — Restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20 GDPR) — Receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR) — Object to processing based on legitimate interests at any time.
• Right to withdraw consent (Art. 7(3) GDPR) — Withdraw consent at any time without affecting prior lawful processing.

To exercise any of these rights please contact: info@wearehandson.de

17. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR.

18. Changes to this Policy

We reserve the right to update this privacy policy at any time. The current version is always available at wearehandson.de/privacy-policy.