Privacy Policy
1. Controller
The controller responsible for data processing on this website within the meaning of the GDPR is:
Bornwerk UG (haftungsbeschränkt)
Märkische Straße 193
44141 Dortmund
Deutschland
[email protected]
2. Data Protection Officer
We are not legally required to appoint a data protection officer. For privacy enquiries, please use the contact details above.
3. Controller vs. Processor
For the data of website visitors and our business customers (studios and their account data) we act as controller. For the booking data of end-clients that a studio processes through Terminz, the respective studio is the controller and we act as a processor pursuant to Art. 28 GDPR. This policy covers only our role as controller; the privacy information provided to end-clients is the responsibility of the respective studio.
4. Collection and Processing of Personal Data
We collect personal data when you visit our website, use the contact form, subscribe to the newsletter, or register as a business customer. This includes in particular your name, email address, phone number, company details, and technical access data such as IP address, date and time of access, and information about your browser and device.
Contact Form
When you contact us via the contact form, we process your name, email address, optionally phone number and company name, and your message in order to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (responding to enquiries). Delivery is handled by our service provider Resend.
Newsletter
For the newsletter we process your email address on the basis of your consent (Art. 6(1)(a) GDPR). We use the double opt-in procedure: after signing up you receive a confirmation email and are only added to the list after clicking the confirmation link. You can withdraw your consent at any time via the unsubscribe link in every email.
Business Customer Registration
When you register as a business customer, we process the contact person’s data (name, email, optionally phone), the company name, and industry details in order to establish and perform the contractual relationship. The legal basis is Art. 6(1)(b) GDPR.
Payment Processing
Payments are processed via Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.). Payment-related data is transmitted to Stripe; card data is not stored on our servers. The legal basis is Art. 6(1)(b) GDPR. Transfers to the USA are based on the EU-US Data Privacy Framework or the Standard Contractual Clauses.
5. Legal Bases for Processing
- Performance of a contract and pre-contractual measures pursuant to Art. 6(1)(b) GDPR (registration, contact requests)
- Consent pursuant to Art. 6(1)(a) GDPR (newsletter, analytics cookies)
- Legitimate interest pursuant to Art. 6(1)(f) GDPR (secure operation and optimisation of the website)
- Legal obligation pursuant to Art. 6(1)(c) GDPR (retention of consent records)
6. Cookies and Consent
We use strictly necessary cookies and - only with your consent (§ 25(1) TDDDG) - analytics cookies. You can grant or withdraw your consent at any time via our cookie banner. Google Analytics loads in Google Consent Mode with a default state of "denied" and sets no analytics cookies and evaluates no data without your consent; client-side error monitoring (Sentry) is not loaded at all without your consent.
7. Analytics and Error Logging
Google Analytics
This website uses Google Analytics by Google Ireland Ltd. / Google LLC, loaded via Google Tag Manager. IP anonymisation is enabled and Google Consent Mode defaults to "denied". Processing only takes place after your consent (Art. 6(1)(a) GDPR, § 25(1) TDDDG).
Sentry
For error detection we use Sentry (Functional Software Inc.). Session replays are captured only on error and fully masked (text, inputs, and media). Sentry is loaded only after you grant analytics consent.
Reach Measurement and A/B Testing of Profile Pages
On the public profile pages we collect statistical access data (page accessed, referrer, and browser/device information) for reach measurement on the basis of our legitimate interest in analysing and improving reach (Art. 6(1)(f) GDPR). To optimise the presentation we also carry out A/B tests and store the test variant assigned to you locally on your device (key "terminz_ab_assignments"). This storage takes place only with your consent (Section 25(1) TDDDG, Art. 6(1)(a) GDPR), which you can grant or withdraw at any time via our cookie banner.
8. Google Maps Platform (Address Search and Business Data)
We use the Google Maps Platform provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, USA). When you enter an address in our forms, your input is transmitted to Google for address completion. During the onboarding of a business customer, publicly available business data (name, address, opening hours, telephone number) from the Google business listing may additionally be suggested in order to facilitate profile creation. This data is presented to the business customer for review and confirmation before it is stored and is only added to the profile after the customer confirms it. Only the Google Place ID is stored permanently as a unique identifier of the listing; otherwise, Google content is not cached beyond the limits permitted by the Google Terms of Service. Where we display Google content without a map view, we do so with the notice "Powered by Google". The legal basis is Art. 6(1)(b) GDPR (performance of the contract with the business customer) and Art. 6(1)(f) GDPR (legitimate interest in the accurate and efficient capture of location and business data). On public profile pages, an embedded Google map (Google Maps Embed) may additionally be displayed to show the location. When the map loads, data – in particular your IP address – is transmitted to Google and cookies may be set; the embedding of the map takes place on the basis of your consent (Section 25(1) TDDDG, Art. 6(1)(a) GDPR), which you can grant or withdraw via our cookie banner. Any transfer to the USA takes place on the basis of the EU-US Data Privacy Framework or the Standard Contractual Clauses.
9. Public Business Profile and Directory
Business customers (studios) can provide a publicly accessible profile via Terminz and be listed in a searchable business directory so that end customers can find them and book appointments. The publicly displayed information includes business data such as name, address, opening hours, services and prices, photos and reviews. This is predominantly company data; insofar as individual details have a personal reference (for example the name of a self-employed owner), the legal basis is Art. 6(1)(b) GDPR (performance of the contract with the business customer) and Art. 6(1)(f) GDPR (legitimate interest in the public discoverability of the studio and in promoting its services). The business customer determines the content and scope of the public profile and may edit the displayed information, remove individual content or deactivate the public profile at any time. Public profiles may be indexed by search engines. These functions are continuously developed further; the specific scope of the business data displayed may expand without changing the purpose and legal basis stated above. Via a contact form on the public profile, end customers can send enquiries (name, email address, telephone number, subject and message) to the studio; in this respect we process the data as a processor on behalf of the studio. Published reviews may contain the first name and the first letter of the surname of the reviewing person as well as their review text. The respective business customer is responsible for the content of its profile and for any personal data of third parties contained therein.
10. Recipients and Processors
We share data with carefully selected processors: AWS (hosting/storage, eu-central-1), Cloudflare (CDN and reverse proxy), Stripe (payments), Resend (email delivery), Sentry (error detection), and Google services (Analytics incl. Google Tag Manager, Google Maps Platform incl. address search and business-data enrichment, sign-in). Art. 28 GDPR processing agreements are in place with all processors. Fonts are bundled locally (self-hosted) and are not loaded from external servers.
11. Third-Country Transfers
Some recipients (Stripe, Resend, Sentry, Google) process data in the USA. Transfers are based on the EU-US Data Privacy Framework or the EU Commission Standard Contractual Clauses. Primary processing and hosting take place in the EU (eu-central-1).
12. Retention Periods
We store personal data only as long as necessary for the respective purpose or required by statutory retention obligations. IP addresses in access logs are anonymised after 30 days, session data after 90 days, login attempts are deleted after 30 days, and records of withdrawn consent are kept for three years. Data exports are deleted after 30 days.
13. Your Rights
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
14. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).
15. Contact
For questions about the processing of your personal data or to exercise your rights, contact us at [email protected].