Privacy Policy

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation is:

Iaroslava Suspitsina

LAUENSTEIN One

Bernauer Straße 27

10115 Berlin

Germany

Email: info@lauensteinone.de

A data protection officer has not been appointed because, according to the current status, there is no legal obligation to appoint one.

This Privacy Policy applies to the website lauensteinone.de, the redirect domains lauensteinone.com and lauensteinone.net, the contact and inquiry forms, the Telegram channel, the Telegram bot LAUENSTEIN One Rebalancer, the business social media profiles and the related digital products and services.

This Privacy Policy explains which personal data we process, for what purposes we process it, on which legal basis this takes place, to which recipients data may be transferred, whether transfers to third countries take place, how long data is stored and which rights data subjects have.

Personal data means all information relating to an identified or identifiable natural person, for example name, email address, Telegram user identifier, IP address, communication content, contract data, payment information, technical usage data, application documents or portfolio values entered in the Rebalancer.

We process personal data in particular on the following legal bases:

• Art. 6(1)(b) GDPR: processing for the performance of pre-contractual measures, answering inquiries, contract performance, and the provision of digital products, software access, consulting, coaching and other services.

• Art. 6(1)(c) GDPR: processing for compliance with legal obligations, in particular tax, commercial law and accounting obligations.

• Art. 6(1)(f) GDPR: processing for IT security, prevention of misuse, establishment or defense of claims, organization of business operations, communication, direct communication with interested parties and ensuring a functional online offering.

• Art. 6(1)(a) GDPR: processing based on consent, in particular for optional newsletters, optional tracking, optional marketing services, advertising communication or voluntary information.

The website is operated with Next.js and hosted via Vercel. According to the current technical setup, the website is operated in the Frankfurt, Germany / eu-central-1 region, insofar as this setting is technically provided and maintained by the provider. Depending on the provider architecture, individual technical processing operations may also take place via content delivery or security infrastructures.

When the website is accessed, technical access data may be processed, in particular IP address, date and time, requested URL, referrer URL, browser type, browser version, operating system, status codes, transferred data volumes and technical error and security logs.

The processing takes place to provide the website, ensure stability, security, error analysis and prevention of misuse. The legal bases are Art. 6(1)(b) GDPR, insofar as provision is necessary for use of the offering, and Art. 6(1)(f) GDPR based on our legitimate interest in a secure and functional online offering.

For the registration, connection and technical management of our domains, as well as for business email mailboxes, we use services of STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany.

In our setup, STRATO is not used as the hosting provider for this website. The website is hosted via Vercel. STRATO is used for domain registration, DNS management and business email communication.

In the context of domain and DNS management, the data processed may include in particular domain names, registration data, master data, name, address, email address, telephone number, technical DNS settings, administrative contact data and technical protocol and support data.

In the context of email use, the data processed may include in particular email addresses, sender and recipient addresses, message content, subject lines, email metadata, IP addresses, times of communication, technical delivery and error data, spam filter information and, where used, contacts, appointments and tasks.

Processing takes place for the registration and management of our domains, technical connection, DNS management, provision of business email communication, sending and receiving emails, prevention of spam and misuse, IT security, error analysis, contract performance and compliance with statutory and contractual obligations.

The legal bases are Art. 6(1)(b) GDPR, insofar as processing is necessary to handle inquiries, carry out pre-contractual measures, perform a contract or provide the requested communication, Art. 6(1)(c) GDPR, insofar as statutory retention, documentation or cooperation obligations exist, and Art. 6(1)(f) GDPR based on our legitimate interest in secure, reliable and professional domain, DNS and email infrastructure.

STRATO may act as a processor within the meaning of Art. 28 GDPR when providing the services. Where required, we conclude a data processing agreement with STRATO.

Further information:

Website: https://www.strato.de

Privacy information: https://www.strato.de/datenschutz/

If you contact us by email, Telegram, social media, direct message or another channel, we process the data you transmit to handle the inquiry. This may include:

• name,

• email address,

• telephone number,

• Telegram username,

• social media profile name,

• communication content,

• company,

• project information,

• budget or time frame information,

• information about requested services,

• other voluntarily transmitted information.

Processing takes place to handle the inquiry, carry out pre-contractual measures and, where applicable, perform the contract. The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. We generally delete inquiries that do not lead to a contract no later than 12 months after the last contact, unless statutory retention obligations, evidentiary interests or legitimate reasons for longer storage exist.

Various forms can be used on the website, in particular strategy call inquiries, service inquiries, guide hub inquiries, cooperation inquiries and careers or application inquiries.

Depending on the form, the following data in particular may be processed:

• name,

• email address,

• Telegram, WhatsApp or telephone contact,

• preferred language,

• current situation,

• current location or target location,

• project goal,

• website or project link,

• time frame,

• message,

• service or guide context,

• current page URL,

• consent or confirmation status,

• honeypot fields,

• Cloudflare Turnstile token,

• IP address or rate-limit information derived from it,

• timestamps and technical security logs.

For careers inquiries, CV/resume, file name, file size, file type, cover letter and the content of the submitted file may also be processed. Please do not submit special categories of personal data, such as health data, information about religion, trade union membership, ethnic origin or political opinion, unless this is required for reviewing your message.

Form contents are transmitted server-side to Telegram and processed there in an area controlled by us. In the future, transmission to the business email address info@lauensteinone.de may also take place.

Application documents and CVs are generally deleted no later than 6 months after completion of the process, unless longer storage is legally required or expressly agreed.

We use Cloudflare Turnstile to check whether forms are used by humans and not automatically by bots. In addition, honeypot fields and rate limiting based on IP address and email address may be used to prevent spam, misuse and automated attacks.

Technical data such as IP address, browser and device information, interaction data, verification tokens, timestamps, security information and pseudonymized rate-limit keys may be processed.

Processing serves to protect the website and prevent spam, misuse and automated attacks. The legal basis is Art. 6(1)(f) GDPR. Where consent is required for access to information in the terminal device, processing takes place on the basis of consent. Where processing is strictly necessary to securely provide the digital service expressly requested by the user, we rely on the statutory exception for necessary technologies.

The storage of rate-limiting counters may take place server-side via Upstash Redis; details are provided in the section "Upstash Redis for rate limiting and security functions".

To technically secure our forms and API endpoints, we use Upstash Redis as a server-side, durable storage system for rate-limiting counters. This enables us to detect and limit spam, misuse, automated attacks and excessive requests.

We do not store plain-text email addresses or plain-text IP addresses in Redis. Instead, pseudonymized keys are generated from IP addresses and/or email addresses using HMAC. In addition, technical counters, time windows, expiration times, route or form context and security status may be processed.

The provider is Upstash, Inc. Further information:

Website: https://upstash.com

Privacy information: https://upstash.com/trust/privacy.pdf

Data Processing Addendum: https://upstash.com/static/trust/dpa.pdf

Upstash is used as a technical service provider / processor for Redis infrastructure. Insofar as personal data is transferred to third countries, this takes place on the basis of appropriate safeguards, in particular the EU-U.S. Data Privacy Framework, standard contractual clauses and/or a Data Processing Addendum, where applicable.

The purposes of processing are IT security, prevention of spam and misuse, protection of forms, ensuring the functionality of the website and limiting automated requests. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and low-abuse operation of our website and forms.

Rate-limiting data is generally stored only for the respective duration of the technical time window, currently typically 15 minutes to 60 minutes. In individual cases, security or error logs may be stored for longer insofar as this is required for error analysis, misuse prevention or legal defense.

We use Telegram for communication, forwarding form inquiries, the Telegram channel and Telegram-based access to the LAUENSTEIN One Rebalancer.

When Telegram is used, Telegram's privacy provisions also apply. Telegram may independently process personal data. We do not have full influence over data processing by Telegram. Telegram bot communication and Telegram channels are not equivalent to classic end-to-end encrypted private communication. Sensitive data should only be transmitted if this is necessary for the respective purpose.

If you communicate via Telegram or use the Rebalancer, the following data in particular may be processed:

• Telegram User ID,

• Telegram Username,

• first name,

• last name,

• language setting,

• message content,

• access status,

• activation, blocking and termination status,

• technical interaction data,

• timestamps of inquiries, replies and notifications.

In the Rebalancer, entered portfolio values, model bucket values, position data, calculation histories, technical deviation calculations, notification settings, thresholds, audit logs and access history may also be processed.

Processing takes place to provide the bot, manage access, perform the contract, prevent misuse, ensure technical security and documentation. The legal bases are Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR.

The LAUENSTEIN One Rebalancer is a digital educational and software tool for the technical display of mathematical deviations between entered portfolio values and a published model weighting.

The Rebalancer does not collect information about age, income, assets, investment objectives, risk profile, loss-bearing capacity, investment horizon, investment experience or personal circumstances that would be relevant for a suitability assessment.

The Rebalancer does not make automated decisions about users, contracts, financial instruments or personal suitability. Displayed calculations are technical model calculations and not personal recommendations.

For the Rebalancer, we use a PostgreSQL database at Neon. According to the current status, the database is located in the AWS Europe Central 1 / Frankfurt region.

User master data, Telegram IDs, language settings, access statuses, portfolio values, calculation histories, notification settings, thresholds and audit logs may be stored in the database.

The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Payments are initially made by bank transfer after individual coordination. Bank details are not published publicly in the imprint, but are communicated only as part of the payment instruction or invoice.

We process payment and invoice data insofar as this is necessary for payment processing, contract performance, accounting, tax compliance and legal defense. This may include name, billing address, email address, service description, payment status, invoice number, payment amount, payment date, bank reference, transaction reference and contract and communication data. The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR.

If payment service providers such as PayPal, Stripe, credit card providers, SEPA providers or Telegram Payments are used in the future, this Privacy Policy will be supplemented accordingly before these services are used.

No newsletter is currently operated. If a newsletter is offered in the future, it will generally be sent only after prior consent and regularly using the double opt-in procedure. Email address, time of registration, time of confirmation, IP address and technical proof data may be processed. The legal basis is Art. 6(1)(a) GDPR. Unsubscribing is possible at any time.

Contractually required notifications, for example concerning activation, contract performance, security information, payment status, termination, data deletion or Rebalancer access management, may be sent independently of a newsletter insofar as this is necessary for contract performance.

We currently use no web analytics tools, no marketing pixels and no behavior-based tracking on the website.

Technically necessary cookies or comparable technologies may be used insofar as they are required to provide the website, forms, security functions, language settings or other expressly requested functions.

If we use analytics, marketing, retargeting, affiliate tracking or comparable services in the future, this will only take place after prior information and, where required, consent.

We operate business profiles, channels and online presences on various social media platforms to inform about our services, content, digital products, guides, cooperations and offers, communicate with users, handle inquiries, acquire leads and build our community.

Our social media channels:

YouTube:

• https://www.youtube.com/@lauenstein-one-IT

• https://www.youtube.com/@lauenstein-one-GUIDE

• https://www.youtube.com/@lauenstein-one-BUSINESS

• https://www.youtube.com/@lauenstein-one-FINANCE

Instagram:

• https://www.instagram.com/lauensteinone

TikTok:

• https://tiktok.com/@lauensteinone

Telegram Channel:

• https://t.me/lauensteinone

When you visit our social media profiles, view our content, interact with posts, write comments, send messages, follow us, share content or contact us via direct messages, personal data may be processed. This may include in particular profile name, publicly visible profile information, username, comments, likes, reactions, shares, message content, communication data, date and time of interaction, technical usage data, reach and statistics data, and information about requested services, cooperations or offers.

We process this data, insofar as it is provided to us by the respective platform or communicated to us by you, for the following purposes:

• communication with users,

• answering inquiries,

• handling customer and cooperation inquiries,

• customer acquisition and lead processing,

• community building,

• presentation and promotion of our services,

• documentation of business communication,

• evaluation of reach and interactions,

• labeling and carrying out cooperations, affiliate content and sponsored content.

The legal bases are Art. 6(1)(b) GDPR insofar as processing is carried out for pre-contractual measures or contract performance, Art. 6(1)(f) GDPR based on our legitimate interest in communication, marketing, community building, presentation of our services and business organization, and Art. 6(1)(a) GDPR insofar as consent is obtained.

The respective platform operators also process personal data under their own responsibility. This includes in particular the provision of the platform, technical delivery of content, user statistics, reach measurement, personalization, advertising, security, prevention of misuse and, where applicable, transfer of data to third countries. We have only limited influence over this processing by the platform operators.

To exercise data subject rights in relation to processing by the respective platform, please primarily contact the respective platform operator. You may also contact us at any time; we will support you within the scope of our possibilities.

Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Website: https://www.instagram.com

Privacy information: https://privacycenter.instagram.com/policy/

When Instagram business functions and statistical evaluations are used, aggregated or statistical information about the use of our profile may be provided to us. Insofar as we are jointly responsible with Meta Platforms Ireland Limited for certain processing operations, in particular insights functions, joint responsibility is governed by the terms provided by Meta. In this context, we generally do not receive complete personal profile data of visitors, but primarily statistical evaluations.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Website: https://www.youtube.com

Privacy information: https://policies.google.com/privacy

Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

Website: https://www.tiktok.com

Privacy information: https://www.tiktok.com/legal/page/eea/privacy-policy/de

Service provider: Telegram FZ-LLC or Telegram Messenger Inc. / Telegram Messenger LLP, depending on the service structure.

Website: https://telegram.org

Privacy information: https://telegram.org/privacy

If you send us a direct message via Instagram, TikTok, YouTube, Telegram or other platforms, or submit an inquiry through these platforms, we process the data you transmit to handle your inquiry. If the inquiry results in a contract, the data may be stored for longer in accordance with statutory retention obligations. We generally delete inquiries without a contract no later than 12 months after the last contact, unless statutory obligations or legitimate interests conflict with deletion.

Our social media channels, videos, blog and guide content, Telegram channel and website may contain our own offers, affiliate links, cooperations, product mentions or sponsored content. Such content is labeled as advertising, advertisement, cooperation, affiliate link or sponsored content where required.

When external links are clicked, the respective providers may carry out their own data processing. We do not have full influence over this processing.

The Guide Hub contains practical content about Germany, the EU, work, relocation, business, digital projects and orientation. The content serves general information, education and entertainment. It does not replace legal advice, tax advice, immigration law advice, investment advice or other individual professional advice.

If comment functions, user profiles, community areas or embedded third-party content are activated in the future, this Privacy Policy will be supplemented accordingly in advance.

Depending on the process, personal data may be transferred to the following categories of recipients:

• hosting and infrastructure providers,

• STRATO GmbH as domain, DNS and email service provider,

• database providers,

• Telegram Bot API / Telegram,

• security and anti-spam providers,

• Upstash Redis / rate-limiting providers,

• payment service providers, if used in the future,

• tax advisors, accounting service providers or authorities, where required,

• legal advisors or courts, where required for enforcement or defense of legal claims,

• social media platforms, insofar as interactions take place through these platforms.

Insofar as service providers process personal data on our behalf, we conclude data processing agreements or corresponding data protection agreements where possible and where required.

Some services used may process personal data outside the European Union or the European Economic Area, in particular Telegram, Cloudflare, Upstash, social media platforms or payment and marketing services used in the future.

STRATO is based in Germany. According to the STRATO data processing agreement, the contractually agreed data processing generally takes place predominantly in a Member State of the European Union or in another contracting state of the European Economic Area. Where individual services, subprocessors or technical processing operations involve a transfer to third countries, this takes place in accordance with the statutory requirements, in particular Art. 44 et seq. GDPR.

Where a transfer to a third country takes place, it is carried out on the basis of an adequacy decision, appropriate safeguards, standard contractual clauses, statutory exceptions or consent, insofar as this is required.

We store personal data only for as long as is necessary for the respective purposes or as long as statutory retention obligations exist.

General storage periods:

• Contact, service and guide inquiries without contract conclusion: up to 12 months after the last contact.

• Contract, payment and invoice data: in accordance with statutory retention obligations.

• Application documents/CV: generally up to 6 months after completion of the process.

• Rate-limiting data in Upstash Redis: generally only for the duration of the respective technical time window, currently typically 15 minutes to 60 minutes.

• Email communication via STRATO: business communication is stored for the duration of processing. Insofar as it is relevant under contract, tax or commercial law, storage takes place in accordance with statutory retention obligations. Other inquiries without contract conclusion are generally deleted no later than 12 months after the last contact, unless legitimate interests or statutory obligations conflict with deletion.

• Domain, DNS and administration data: generally for the duration of use of the domain and email services and beyond that insofar as statutory retention obligations, evidentiary interests or technical security reasons exist.

• Rebalancer access data and entered values: during the active contractual relationship; deletion or anonymization generally within 30 days after deletion request or contract end, unless retention obligations conflict.

• Audit and security logs: generally up to 12 months; longer in the event of security incidents, suspected misuse, payment disputes or legal disputes, insofar as required.

• Newsletter data: until consent is withdrawn or unsubscribe; proof data may be stored longer.

Data subjects have, in accordance with the GDPR, in particular the following rights:

• right of access,

• right to rectification,

• right to erasure,

• right to restriction of processing,

• right to data portability,

• right to object to processing based on legitimate interests,

• right to withdraw granted consent with effect for the future,

• right to lodge a complaint with a data protection supervisory authority.

The competent data protection supervisory authority for Berlin is the Berlin Commissioner for Data Protection and Freedom of Information.

You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data based on Art. 6(1)(f) GDPR.

In the event of an objection, we will no longer process the affected personal data unless we can demonstrate compelling legitimate grounds for the processing or the processing serves the establishment, exercise or defense of legal claims.

If personal data is processed for direct advertising, you have the right to object to this processing for such advertising purposes at any time.

You may withdraw consent that has been granted at any time with effect for the future. The lawfulness of processing carried out until withdrawal remains unaffected.

We do not use automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning data subjects or similarly significantly affects them.

Technical model calculations in the LAUENSTEIN One Rebalancer serve exclusively the mathematical display of deviations between entered values and model weightings. They do not make decisions about users, contracts, financial instruments or personal suitability.

We adapt this Privacy Policy when our services, providers, technical processes or legal requirements change. In particular, this Privacy Policy will be updated before new analytics, advertising, tracking, payment or community services are used.