PRIVACY NOTICE

Version: 1.0
Last updated: 14 August 2025

1. Controller

THVNDR (sole proprietorship)
Aachener Str. 309, 50931 Cologne, Germany
Email: legal [at] thvndr [dot] com

Website: https://www.thvndr.com

2. Scope

This notice explains how we process personal data when you visit our website, use contact forms, view embedded media, or interact with analytics and consent tools.

3. Legal bases we rely on

We process personal data under the GDPR, in particular:

  • Art. 6(1)(b) performance of a contract or steps prior to entering into a contract

  • Art. 6(1)(c) compliance with legal obligations

  • Art. 6(1)(f) legitimate interests, such as operating a secure and functional website

  • Art. 6(1)(a) consent for non-essential cookies and third-party services in the EU

  • § 25 TTDSG for storing or accessing information on a user’s device in Germany

4. Cookies and consent (Borlabs Cookie)

We use Borlabs Cookie to manage consent. Visitors from the EU and EEA see a consent banner before non-essential services load. Visitors from non-EU regions do not see the banner and non-essential cookies may load by default based on regional settings you selected.

  • You can change your choice at any time via the Cookie Settings link in the footer.

  • Borlabs stores a consent cookie to remember your choice and logs the consent event. Consent log retention: 12 months.

We group cookies as Essential, Statistics, Marketing, and External Media. The live list of cookies, purposes, providers, and lifetimes is shown in the cookie settings panel.

5. Hosting and server logs

Hosting provider: IONOS.
Server location: within the EU according to provider setup. Where providers process data outside the EU/EEA, we rely on an adequacy decision (Art. 45 GDPR) or on the European Commission’s Standard Contractual Clauses (Art. 46 GDPR). Where required, we apply additional measures (e.g., encryption, pseudonymisation, data minimisation).

When you access our site, the server processes your IP address, timestamp, requested URL, referrer, and user agent to deliver pages and prevent abuse.
Retention of server logs: maximum 8 weeks.

We run regular backups with UpdraftPlus.

6. Contact and communication

If you contact us via email or our contact form, we process your name, email address, and message content to respond.

  • Legal basis: Art. 6(1)(b) if your enquiry relates to a contract, otherwise Art. 6(1)(f).

  • Retention: typically 12 months after the enquiry is closed, unless statutory retention requires longer.

Bot protection

Our contact form uses reCAPTCHA (v3, as implemented) to prevent abuse.

  • EU/EEA: reCAPTCHA only loads after consent.

  • Provider: Google (Google Ireland Limited / Google LLC).

  • Legal basis: Art. 6(1)(a) in the EU; legitimate interests outside the EU where applicable.

7. Web analytics

We currently do not use any third-party web analytics service on this website. We rely only on aggregated server logs provided by our host to operate a secure and functional site.

  • Tooling: No Google Analytics, no Meta/Hotjar/Clarity.

  • Yoast SEO: does not place analytics cookies on the front end and does not track visitors for analytics purposes.

  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests in operating a secure website).

  • Retention: server logs are kept for 7 days and then deleted (adjust if your host uses a different period).

If we introduce web analytics in the future, we will update this notice and, for EU/EEA visitors, obtain consent before any non-essential cookies or identifiers are set.

8. Advertising and remarketing

We do not use advertising or remarketing pixels at this time.

9. Embedded media and maps

We embed YouTube, Vimeo, and Spotify content.

  • EU/EEA: these services only load after consent or after you click a two-click placeholder.

  • When content loads, the provider receives your IP address and device data, and may set cookies.

  • Legal basis: Art. 6(1)(a) consent in the EU.

10. Fonts

We serve our fonts locally from our own server. No connection to Google is required to display fonts. If any third-party font delivery remains on a specific page, it will only run after consent in the EU.

11. Processors, recipients, and international transfers

We use service providers that process data on our behalf under Art. 28 GDPR, including our host and consent tool provider. Some providers are located outside the EU or are part of international groups.

For transfers to third countries, we rely on adequacy decisions or Standard Contractual Clauses with supplementary measures where required. Key providers include:

  • Google Ireland Limited and Google LLC (USA) for Analytics and reCAPTCHA

  • Video and audio platforms such as YouTube (Google), Vimeo, and Spotify

You can request a current list of our processors at le***@****dr.com.

12. Retention

We store personal data only as long as necessary for the purpose or as required by law.

  • Server logs: maximum 8 weeks

  • Consent logs: 12 months

  • Contact enquiries: 12 months after closure

  • Analytics: 14 months in GA4

13. Your rights under GDPR

You have the right to:

  • Access your data (Art. 15)

  • Rectification (Art. 16)

  • Erasure (Art. 17)

  • Restriction of processing (Art. 18)

  • Data portability (Art. 20)

  • Object to processing based on legitimate interests (Art. 21)

  • Withdraw consent at any time with future effect

You also have the right to complain with a supervisory authority. You can contact the authority of your habitual residence or workplace. In Germany, a list of authorities is available via the Federal Commissioner for Data Protection and Freedom of Information.

14. Children

We do not knowingly target or collect data from minors.

15. Security

We use technical and organisational measures appropriate to risk, including TLS encryption, access controls, and regular updates. Backups are performed to support recovery.

16. Changes to this notice

We reserve the right to update this notice to reflect changes to our processing procedures. The current version and date are shown at the top. Material changes will be indicated on this page.

How to contact us: legal [at] thvndr [dot] com

Imprint: https://thvndr.com/imprint

Cookie settings: Use the Cookie Settings link in the footer to change your preferences at any time.