Privacy Policy

1. Data Protection at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the section 'Responsible Body' below.

How do we collect your data?

Your data is collected when you provide it to us — for example, when you fill out a contact form or book an appointment.

Other data is collected automatically or with your consent by our IT systems when you visit the website. This primarily includes technical data such as your browser type, operating system, and the time of your visit.

What do we use your data for?

Some data is collected to ensure the website functions correctly. Other data may be used to analyze your user behavior or to process inquiries and appointment bookings.

What rights do you have regarding your data?

You have the right to obtain information free of charge about the origin, recipients, and purpose of your stored personal data at any time. You also have the right to request correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to lodge a complaint with the competent supervisory authority.

2. Hosting and Server Logs

Hosting (Vercel)

We host this website on Vercel. The provider is Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel serves our content from edge servers (default region Frankfurt) and may process technical connection data — in particular your IP address, date and time of access, the requested URL, browser and operating system, and the referrer — as necessary to deliver the website. We use Vercel on the basis of our legitimate interest in a fast, secure, and reliable website delivery (Art. 6(1)(f) GDPR). For any transfer of data to the United States, Vercel relies on the EU-US Data Privacy Framework and EU Standard Contractual Clauses. More information: https://vercel.com/legal/privacy-policy

Server Log Files

Technical access data is automatically recorded in server log files when the website is accessed (IP address, date/time, requested URL, HTTP status, transferred data volume, referrer, browser and operating system information). This data is used solely to provide the website technically and to detect and prevent abuse. It is not combined with other data sources. The legal basis is Art. 6(1)(f) GDPR.

Data Processing Agreements

We have concluded Data Processing Agreements (DPAs) under Art. 28 GDPR with the following providers: Vercel Inc. (hosting), Microsoft Ireland Operations Ltd. (appointment booking and Azure OpenAI Service), HighLevel Inc. (CRM and marketing automation), Twilio Inc. (telephony and SMS infrastructure), and Supabase Inc. (database). These agreements ensure that the providers process the personal data of our website visitors and lead contacts only on our instructions and in compliance with the GDPR.

Transfer of Data to US Providers

We use tools from companies based in the United States (Vercel Inc. for hosting, HighLevel Inc. as CRM, Twilio Inc. for telephony, and Supabase Inc. for the database). When these tools are active as part of lead processing, your personal data may be transferred to and processed in the US. Such transfers are permitted if the recipient is certified under the EU-US Data Privacy Framework (DPF) and/or has signed EU Standard Contractual Clauses (SCC). We have signed EU Standard Contractual Clauses with all the providers listed; Vercel and Twilio are additionally certified under the DPF. Please note that despite these safeguards, the US does not offer a level of data protection fully comparable to the EU.

3. General Information and Mandatory Disclosures

Responsible Body

Storage Duration

Unless a more specific retention period is stated within this privacy policy, your personal data will remain with us until the purpose for processing no longer applies. If you request deletion or withdraw your consent, your data will be deleted unless we have other legally permissible grounds for storage.

Legal Basis for Data Processing

We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable national data protection laws. Processing is based on your consent (Art. 6(1)(a) GDPR), contract performance (Art. 6(1)(b) GDPR), legal obligations (Art. 6(1)(c) GDPR), or our legitimate interests (Art. 6(1)(f) GDPR).

SSL/TLS Encryption

This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the 'https://' prefix in your browser's address bar and the lock icon.

4. Data Collection on This Website

Cookies and Cookie Consent

This website only uses strictly necessary cookies and optional cookies you have actively consented to. On your first visit, our cookie banner offers a choice: you can reject all optional cookies, enable individual categories, or accept all. Your selection is stored in a strictly necessary cookie (name: rockstein_cookie_settings, lifetime: 365 days) so the banner does not reappear. You can revoke your consent at any time by deleting this cookie via your browser settings. The legal basis for strictly necessary cookies is Art. 6(1)(f) GDPR; for optional cookies, your consent under Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Contact Forms and Inquiries

When you contact us via email, contact form, or telephone, your inquiry and all associated personal data will be stored and processed by us for the purpose of handling your request. We do not share this data without your consent. Processing is based on Art. 6(1)(b) GDPR (contract performance or pre-contractual steps) or Art. 6(1)(f) GDPR (legitimate interest in effective communication).

Appointment Booking

You can request appointments with us via an external booking service (currently Microsoft Bookings, provider: Microsoft Ireland Operations Ltd., Dublin, Ireland). When you click the booking button, you are forwarded to the booking platform; from that point on, the provider processes the data you enter (name, email, optional phone number, appointment subject) to schedule the meeting. The resulting lead data is subsequently stored in our CRM (HighLevel) for further processing if you are interested in a consultation. The legal basis is Art. 6(1)(b) GDPR (pre-contractual steps) and Art. 6(1)(f) GDPR (legitimate interest in convenient scheduling). More information about the booking provider: https://privacy.microsoft.com/en-us/privacystatement

AI-Driven Lead Qualification (Sophie AI)

If you request an appointment via the booking form or otherwise provide us with your contact details for follow-up (e.g. via a Meta/Facebook lead ad), our AI voice agent ‘Sophie’ may contact you automatically by phone to qualify your inquiry and propose follow-up appointments. We process your name, phone number, and the content of the conversation on the basis of Art. 6(1)(b) GDPR (pre-contractual steps) or Art. 6(1)(f) GDPR (legitimate interest in efficient lead handling). At the start of each call you are informed that you are speaking with an AI system. You may object to automated processing at any time by contacting info@rockstein-consulting.de; a human will then take over the communication. For this service we rely on the following processors (full Art. 28 GDPR data-processing agreements are in place): HighLevel Inc., 400 N St. Paul St., Suite 920, Dallas, TX 75201, USA (CRM and workflow automation; data transfer to the US under EU Standard Contractual Clauses); Twilio Inc., 101 Spear Street, San Francisco, CA 94105, USA (telephony and SMS infrastructure; data transfer to the US under EU Standard Contractual Clauses; Twilio is certified under the EU-US Data Privacy Framework); Microsoft Ireland Operations Ltd. (Azure OpenAI Service for speech understanding and synthesis; processing in EU Azure regions, inputs are not used to train the models); Supabase Inc., USA (storage of lead data and call transcripts; database region within the EU, data transfer to the US for administrative access under EU Standard Contractual Clauses). Calls are automatically transcribed and stored for quality assurance and proof purposes for the duration of lead processing; data is deleted no later than upon expiry of statutory retention periods.

Video Embeds (YouTube in Enhanced Privacy Mode)

On individual sub-pages we embed videos via youtube-nocookie.com. In enhanced privacy mode (no-cookie variant), YouTube only stores cookies on your device once you actively start playback. When playback starts, connection data — in particular your IP address — may be transmitted to Google Ireland Ltd. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis is Art. 6(1)(f) GDPR. More information: https://policies.google.com/privacy

5. Cookie Consent — Records and Withdrawal

Storage and Proof of Your Cookie Consent

Your consent choice is stored exclusively locally on your device in a strictly necessary cookie (name: rockstein_cookie_settings). The cookie contains: the selected categories (necessary, analytics, marketing), the time of consent (ISO-8601 timestamp), a randomly generated, non-personal consent ID, and the version of this privacy policy in effect at the time of consent. This enables us to verify on request which categories you consented to and when (Art. 7(1) GDPR). The record is not stored server-side and is not transmitted to third parties.

Withdrawal of Your Consent

You can withdraw your consent at any time with effect for the future. To do so, click 'Cookie Settings' in the footer — the banner will reopen and you can disable individual categories or reject all optional cookies. The lawfulness of processing carried out before the withdrawal is not affected. Alternatively, you may delete the cookie via your browser settings; the banner will then reappear on your next visit.

Analytics Tools

We currently do not use any analytics or tracking tools (e.g. Google Analytics, Matomo, Hotjar) on this website. If we add such tools in the future, we will inform you in advance, obtain your consent via the cookie banner, and bump the version of this policy so you can decide again.

6. Your Rights in Detail

Right to Object to Processing in Specific Cases and against Direct Marketing (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. WHERE PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING, INCLUDING PROFILING TO THE EXTENT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE PROCESSED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Right to Lodge a Complaint with the Competent Supervisory Authority

In case of violations of the GDPR, you have the right to lodge a complaint with a supervisory authority. The authority competent for Rockstein Consulting GmbH is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany, https://www.ldi.nrw.de. This right exists without prejudice to any other administrative or judicial remedy.

Right to Data Portability

You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract in a commonly used, machine-readable format, either for yourself or for transmission to a third party. If you request direct transfer to another controller, this will only be done if technically feasible.

Right of Access, Correction and Erasure

Within the framework of the applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing, as well as the right to correction or deletion of this data. For this purpose, you can contact us at any time at info@rockstein-consulting.de.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data. This applies in particular while you contest the accuracy of your stored data, in the case of unlawful processing, if you need the data to enforce legal claims, or while an objection under Art. 21(1) GDPR is still being assessed.

Objection to Promotional Emails

We hereby object to the use of contact data published in fulfillment of the imprint obligation for the purpose of sending unsolicited advertising and information materials. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, e.g. by spam emails.