Privacy Notice

Imprint

Privacy Notice

Terms of Service

Affiliate Program

Cookie Policy

The protection of your personal data is important to us. This privacy notice explains how your personal data is processed on our website and informs you about your rights under the General Data Protection Regulation (hereinafter "GDPR").

Last updated: December 8, 2025

Data Controller

The controller within the meaning of the GDPR for the data processing of personal data on our website is Aron Lange. If you have any questions or complaints about this Privacy Notice, please contact us via support@grclab.com.

For more contact information please visit our Imprint.

Personal data comprises all data by which you are or can be personally identified. This includes specific details provided by you, such as your name, residential address, telephone number, and email address. It also encompasses network identifiers, specifically your IP address, insofar as this data can be linked to your person or your internet connection

What data is collected on this Website?

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

  1. When visiting the Website

Each time you access content on our website, data that may allow identification is temporarily stored by our hosting provider. The following data is collected automatically:

  • Date and time of access

  • IP address

  • Hostname of the accessing computer

  • Website from which our website was accessed (Referrer)

  • Websites accessed via our website

  • Page visited on our website

  • Notification of whether the access was successful (HTTP status code)

  • Transferred data volume

  • Information about the browser type and version used

  • Operating system used

The temporary storage of this data is necessary for the duration of a website visit to enable the delivery of the website to your device. Further storage in log files is carried out to ensure the functionality of the website and the security of our information technology systems (e.g., to detect attacks). These purposes constitute our legitimate interest in data processing according to Art. 6 (1) (f) GDPR.

  1. Cookies

Cookies are small data files placed on your device that enable us to remember your preferences and collect information about your website usage. Tracking technologies, such as web beacons and pixel tags, help us understand how you interact with our site and which pages you visit.

How We Use These Technologies:

  • Necessary Cookies: These cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

  • Statistic Cookies: They help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

  • Functional Cookies: Enable the website to provide enhanced functionality and personalization, like remembering your preferences.

  • Advertising and Targeting Cookies: Used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of the advertising campaign.

We use the consent technology of Usercentrics to obtain your consent for the storage of certain cookies on your device or for the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany.

When you visit our website, a Usercentrics cookie is stored in your browser in which the consents you have granted or the revocation of these consents are saved. This data is not shared with the provider of Usercentrics.

The legal basis for storing this cookie is the fulfillment of a legal obligation to provide proof of consent in accordance with Art. 6 Para. 1 lit. c GDPR (f).

Your Choices and Consent:

Upon your first visit, our website will present you with a cookie consent banner, where you can:

  • Accept All Cookies: Consent to the use of all cookies and tracking technologies.

  • Reject Non-Essential Cookies: Only essential cookies will be used to provide you with necessary website functions.

  • Customize Your Preferences: Choose which categories of cookies you wish to allow.

For more detailed information about the cookies we use, their purposes, and how you can manage your preferences, please visit our detailed Cookie Policy.

  1. Newsletter

If you have expressly consented, we will use your email address to send you our newsletter regularly. Providing an email address is sufficient to receive the newsletter. Editions of the newsletter might contain advertisements and information about products and services provided by 'GRC Lab' and its partners.

The legal basis for processing your data after subscribing to the newsletter is your consent in accordance with Art. 6(1)(a) GDPR.

We use a double opt-in procedure for newsletter registration. This means that after you sign up, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address.

We use the services of Substack, Inc., 548 Market St, PMB 72296, San Francisco, CA 94104, USA (hereinafter "Substack") to send and manage our newsletter.

The data you provide during registration (i.e., your email address and, if applicable, your name) is stored on Substack's servers in the USA. Substack uses this information to send and statistically analyze the newsletter on our behalf.

We have concluded a Data Processing Agreement (DPA) with Substack in accordance with Art. 28 GDPR. Through this agreement, Substack ensures that it protects our subscribers' data, processes it on our behalf, and, in particular, does not pass it on to third parties. This DPA is part of Substack's standard terms of service.

As Substack is a US-based company, personal data is transferred to a third country.

Substack, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF). In its adequacy decision of July 10, 2023 (in accordance with Art. 45 GDPR), the European Commission recognized that US companies certified under the DPF ensure an adequate level of data protection.

The transfer of data to Substack is therefore primarily based on this adequacy decision.

As an additional safeguard (fallback mechanism), we have also concluded the EU Standard Contractual Clauses (SCCs) with Substack, which are part of Substack's Data Processing Agreement.

For more information, please refer to Substack's Privacy Policy or ask us about the DPA that has been concluded.

Substack's newsletters contain a "web beacon" (tracking pixel), which is retrieved from Substack's server when the newsletter is opened. This process collects technical information (e.g., browser type, operating system, IP address, and time of access).

Substack uses this data for the technical improvement of its services and for statistical analysis (e.g., determining if newsletters are opened, when they are opened, and which links are clicked). These analyses help us understand our users' reading habits and adapt our content accordingly or send different content based on our users' interests.

This performance tracking is also covered by your consent (Art. 6(1)(a) GDPR) given at the time of subscription.

We must inform you that when you register on the Substack platform, you also agree to Substack's own Terms of Use, Information Collection Notice and Privacy Policy. Substack also processes data for its own purposes (e.g., service optimization or security) and, in such cases, acts as a separate data controller.

For more information on how Substack handles data, please refer to their Privacy Policy.

You can revoke your consent to receive the newsletter at any time and unsubscribe. You will find an unsubscribe link at the end of each newsletter. Alternatively, you can send your revocation request via email to support@grclab.com.

  1. Payment & Order Processing

On our website, we use the services of Lemon Squeezy, LLC (222 South Main Street, Suite 500, Salt Lake City, UT 84101, USA) as a "Merchant of Record" (reseller).

How it works If you click on a purchase link for our products, you will be redirected to the Lemon Squeezy checkout page. At that point, Lemon Squeezy becomes your contractual partner and is responsible for processing the payment and invoicing. Lemon Squeezy acts as an independent Controller regarding your payment data (credit card, PayPal info).

Data Transfer to Us: To allow us to fulfill the contract (deliver the digital product, license key, or service), Lemon Squeezy transmits specific order data to us (e.g., your name, email address, product purchased, and license key). We process this data to fulfill our contractual obligations to you (Art. 6 Para. 1 lit. b DSGVO).

Data Transfer to the USA: Lemon Squeezy is based in the USA. Data transfer to the USA is based on the standard contractual clauses (Standard Contractual Clauses - SCC) of the European Commission, which ensure a level of data protection comparable to the EU. We have concluded a Data Processing Agreement (AVV) with the provider to ensure the security of your data.

More Information For more details, please see Lemon Squeezy's Privacy Policy: https://www.lemonsqueezy.com/privacy

  1. Use of Our Online Courses and Digital Products (Teachable)

We offer online courses and digital products through the Teachable platform on our website. If you register for our courses, the personal data you provide during registration (e.g., name, email address, payment information) will be processed by Teachable.

Teachable is a third-party provider that processes your data in accordance with Teachable’s privacy policy. For more information on how Teachable processes your data, please refer to the Teachable Privacy Policy.

The data processing through Teachable is necessary for the performance of a contract under Art. 6(1)(b) GDPR and, where applicable, based on your consent in accordance with Art. 6(1)(a) GDPR.

For the provision of the online courses and digital products we use an external service provider, Teachable, Inc. / Hotmart B.V. (“Teachable”). Your personal data will be passed on to Teachable to provide the services. It is possible that the personal data collected is transferred to the affiliates of Framer B.V. and therefore transferred to the United States. Such transfers are based on the legal basis according to Article 46 GDPR, specifically on Standard Contractual Clauses which were concluded. For more information, please refer to Teachable’s Privacy Policy or ask us about the DPA that has been concluded.

  1. Use of Our Contact Form

If you use the contact form on our website, the information you provide (e.g., name, email address, message) will be sent to us via email. This data is processed solely for the purpose of responding to your inquiry.

The legal basis for processing the data transmitted through the contact form is Art. 6(1)(b) GDPR (necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract) or Art. 6(1)(f) GDPR (legitimate interests in responding to inquiries).

  1. Contact by E-Mail

On our Website, we offer you the opportunity to contact us by E-Mail. When you contact us, the personal data you provide such as name, content of the e-mail and your e-mail address, will be processed.

This data is processed by us for the purpose of enabling us to process your enquiry properly. If you contact us by e-mail, your personal data will not be passed on to third parties.

The data processing described above for the purpose of establishing contact is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in being able to process your enquiry. If your enquiry serves to prepare the conclusion of a contract, Art. 6 para. 1 lit. b GDPR is an additional legal basis.

As soon as your enquiry has been dealt with and the matter in question has been conclusively clarified, your personal data processed via the contact form will be deleted. Further storage may take place in individual cases if this is required by law or is necessary for the fulfilment of the contract.

Are there any other recipients of the personal data besides the controller?

  • For the hosting of the Website we use an external service provider, Framer B.V., Framer Inc. and its respective affiliates (“Framer”). Your personal data will be passed on to Framer in order to provide the services. IT is possible that the personal data collected is transferred to the affiliates of Framer B.V. and therefore transferred to the United States. Such transfers are based on the legal basis according to Article 46 GDPR, specifically on Standard Contractual Clauses which were concluded. For more information, please refer to Framer’s Privacy Policy or ask us about the DPA that has been concluded.

  • Public authorities: Authorities and state institutions, such as tax authorities, public prosecutors or courts, to which we (have to) transfer personal data, e.g. to fulfil legal obligations or to protect legitimate interests

How long is the data stored?

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of providing the website, this is the case when the respective session ends. The log files are stored […, maximum up to 24 hours] directly and exclusively accessible to administrators. After that, they are only indirectly available through the reconstruction of backup tapes and are finally deleted after […, a maximum of four weeks].

Data security and security measures

We undertake to treat your personal data confidentially. In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress.

However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, unencrypted data - e.g. when sent by e-mail - may be read by third parties. We have no technical influence on this. It is your responsibility as a user to protect the data you provide against misuse by means of encryption or in any other way.

International data transfer

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers may be based outside the EEA in so-called "third countries". The General Data Protection Regulation places high demands on the transfer of personal data to third countries. All our data recipients must fulfil these requirements. Before we transfer your data to a service provider in a third country, each service provider is first checked for its level of data protection. A service provider is only selected if it can demonstrate an adequate level of data protection outside the EEA. Regardless of whether our service providers are based within the EEA or in third countries, each service provider must conclude an order processing agreement with us. Service providers outside the EEA must fulfil additional requirements. In accordance with Art. 44 ff. GDPR, personal data may be transferred to service providers who fulfil at least one of the following requirements:

  • The European Commission has decided that the third country guarantees an adequate level of protection (e.g. Israel and Canada).

  • Standard contractual clauses have been included in our contract with the data recipient (including any additional measures if necessary).

  • Further appropriate safeguards pursuant to 46 GDPR provided (e.g. Binding Corporate Rules).

  • In special exceptional cases in accordance with 49 GDPR

What Are Your Data Subject Rights?

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): You have the right to request information about your personal data that I process. Specifically, you may request details regarding the purposes of the processing, the categories of personal data concerned, the recipients to whom your data has been or will be disclosed, and the planned storage duration. You also have the right to know about the existence of your rights to rectification, erasure, restriction of processing, or objection, as well as the right to lodge a complaint. Furthermore, you may request information regarding the source of your data if it was not collected directly from you, and the existence of any automated decision-making, including profiling, along with meaningful information about the logic involved.

  • Right to Rectification (Art. 16 GDPR): You have the right to demand the immediate correction of inaccurate personal data or the completion of incomplete data stored by me.

  • Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data stored by me, provided that the processing is not necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

  • Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if:

    • You contest the accuracy of the data;

    • The processing is unlawful, but you oppose the erasure of the data;

    • I no longer need the data, but you require it for the establishment, exercise, or defense of legal claims; or

    • You have objected to processing pursuant to Art. 21 GDPR.

  • Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you have provided to me in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.

  • Right to Withdraw Consent (Art. 7 Para. 3 GDPR): You have the right to withdraw your consent at any time. Consequently, I will no longer be allowed to continue any data processing that was based on this consent in the future.

  • Right to Lodge a Complaint (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. generally, you may contact the supervisory authority at your habitual residence, place of work, or the place of the alleged infringement.

  • Right to Object under Art. 21(1) GDPR: You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data based on Article 6(1)(f) GDPR. The controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defense of legal claims. The collection of data for the provision of the website and the storage of log files are essential for the operation of the website.

Changes to this Privacy Notice

We are committed to keeping you informed about how we handle your personal information and any changes to our privacy practices. We may update this privacy policy from time to time to reflect changes in legal requirements, industry standards, or our business operations. We want to assure you that any updates will be communicated transparently and in accordance with applicable data protection laws.

  • Notification Process: In the event of significant changes to our privacy policy that may affect your rights or the way we handle your personal information, we will provide notice through prominent means, such as email, website notifications, or other appropriate channels. We will also indicate the effective date of the updated policy at the top of the document.

  • Reviewing Changes: We encourage you to review our privacy policy periodically to stay informed about how we collect, use, and protect your personal information. Your continued use of our services after any changes to the policy signifies your acceptance of the updated terms.