Privacy Notice

Legal Notice

Privacy Notice

Terms of Service

Affiliate Program

Cookie Policy

Introduction

The protection of your personal data is important to us. This privacy policy explains how your personal data is processed on our website (hereinafter referred to as “Website”) and informs you about your rights under the General Data Protection Regulation (GDPR).

Last updated: November 2025

Data Controller

The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") for the data processing of personal data on our Website is:

Aron Lange
Bgm-Kolb-Ring 5a
89257 Illertissen
Germany

Email: support@grclab.com

Overview of the processing

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

What data is processed for what purpose?

a) When visiting the Website

Each time you access content on the website, data that may allow identification is temporarily stored. The following data is collected:

  • Date and time of access

  • IP address

  • Hostname of the accessing computer

  • Website from which the website was accessed

  • Websites accessed via the website

  • Page visited on our website

  • Notification of whether the access was successful

  • Transferred data volume

  • Information about the browser type and version used

  • Operating system

The temporary storage of data is necessary for the duration of a website visit to enable the delivery of the website. Further storage in log files is carried out to ensure the functionality of the website and the security of information technology systems. These purposes also constitute our legitimate interest according to (Art. 6 (1) (f) GDPR) in data processing.

b) Use of Our Newsletter (Substack)

1. Purpose of Processing and Legal Basis

If you have expressly consented, we will use your email address to send you our newsletter regularly. Providing an email address is sufficient to receive the newsletter. Editions of the newsletter might contain advertisements and information about products and services provided by 'GRC Lab' and its partners.

The legal basis for processing your data after subscribing to the newsletter is your consent in accordance with Art. 6(1)(a) GDPR.

2. Registration Process (Double Opt-In)

We use a double opt-in procedure for newsletter registration. This means that after you sign up, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address.

3. Use of the Service Provider "Substack"

We use the services of Substack, Inc., 548 Market St, PMB 72296, San Francisco, CA 94104, USA (hereinafter "Substack") to send and manage our newsletter.

The data you provide during registration (i.e., your email address and, if applicable, your name) is stored on Substack's servers in the USA. Substack uses this information to send and statistically analyze the newsletter on our behalf.

4. Data Processing Agreement (DPA)

We have concluded a Data Processing Agreement (DPA) with Substack in accordance with Art. 28 GDPR. Through this agreement, Substack ensures that it protects our subscribers' data, processes it on our behalf, and, in particular, does not pass it on to third parties. This DPA is part of Substack's standard terms of service.

5. Data Transfer to a Third Country (USA)

As Substack is a US-based company, personal data is transferred to a third country.

Substack, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF). In its adequacy decision of July 10, 2023 (in accordance with Art. 45 GDPR), the European Commission recognized that US companies certified under the DPF ensure an adequate level of data protection.

The transfer of data to Substack is therefore primarily based on this adequacy decision.

As an additional safeguard (fallback mechanism), we have also concluded the EU Standard Contractual Clauses (SCCs) with Substack, which are part of Substack's Data Processing Agreement.

For more information, please refer to Substack's Privacy Policy or ask us about the DPA that has been concluded.

6. Statistical Analysis and Performance Tracking

Substack's newsletters contain a "web beacon" (tracking pixel), which is retrieved from Substack's server when the newsletter is opened. This process collects technical information (e.g., browser type, operating system, IP address, and time of access).

Substack uses this data for the technical improvement of its services and for statistical analysis (e.g., determining if newsletters are opened, when they are opened, and which links are clicked). These analyses help us understand our users' reading habits and adapt our content accordingly or send different content based on our users' interests.

This performance tracking is also covered by your consent (Art. 6(1)(a) GDPR) given at the time of subscription.

7. Note on Substack's Terms and Conditions

We must inform you that when you register on the Substack platform, you also agree to Substack's own Terms of Use, Information Collection Notice and Privacy Policy. Substack also processes data for its own purposes (e.g., service optimization or security) and, in such cases, acts as a separate data controller.

For more information on how Substack handles data, please refer to their privacy policy at: https://substack.com/privacy

8. Right to Withdraw Consent and Data Storage

You can revoke your consent to receive the newsletter at any time and unsubscribe. You will find an unsubscribe link at the end of each newsletter. Alternatively, you can send your revocation request via email to support@grclab.com.

c) Use of Our Online Courses and Digital Products (Teachable)

We offer online courses and digital products through the Teachable platform on our website. If you register for our courses, the personal data you provide during registration (e.g., name, email address, payment information) will be processed by Teachable.

Teachable is a third-party provider that processes your data in accordance with Teachable’s privacy policy. For more information on how Teachable processes your data, please refer to the Teachable Privacy Policy.

The data processing through Teachable is necessary for the performance of a contract under Art. 6(1)(b) GDPR and, where applicable, based on your consent in accordance with Art. 6(1)(a) GDPR.

For the provision of the online courses and digital products we use an external service provider, Teachable, Inc. / Hotmart B.V. (“Teachable”). Your personal data will be passed on to Teachable to provide the services. It is possible that the personal data collected is transferred to the affiliates of Framer B.V. and therefore transferred to the United States. Such transfers are based on the legal basis according to Article 46 GDPR, specifically on Standard Contractual Clauses which were concluded. For more information, please refer to Teachable’s Privacy Policy or ask us about the DPA that has been concluded.

d) Use of Our Contact Form

If you use the contact form on our website, the information you provide (e.g., name, email address, message) will be sent to us via email. This data is processed solely for the purpose of responding to your inquiry.

The legal basis for processing the data transmitted through the contact form is Art. 6(1)(b) GDPR (necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract) or Art. 6(1)(f) GDPR (legitimate interests in responding to inquiries).

e) Contact by E-Mail

On our Website, we offer you the opportunity to contact us by E-Mail. When you contact us, the personal data you provide such as title, name, content of the e-mail and your e-mail address, will be processed.

This data is processed by us for the purpose of enabling us to process your enquiry properly. If you contact us by e-mail, your personal data will not be passed on to third parties.

The data processing described above for the purpose of establishing contact is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in being able to process your enquiry. If your enquiry serves to prepare the conclusion of a contract, Art. 6 para. 1 lit. b GDPR is an additional legal basis.

As soon as your enquiry has been dealt with and the matter in question has been conclusively clarified, your personal data processed via the contact form will be deleted. Further storage may take place in individual cases if this is required by law or is necessary for the fulfilment of the contract.

Are there any other recipients of the personal data besides the controller?

  • For the hosting of the Website we use an external service provider, Framer B.V., Framer Inc. and its respective affiliates (“Framer”). Your personal data will be passed on to Framer in order to provide the services. IT is possible that the personal data collected is transferred to the affiliates of Framer B.V. and therefore transferred to the United States. Such transfers are based on the legal basis according to Article 46 GDPR, specifically on Standard Contractual Clauses which were concluded. For more information, please refer to Framer’s Privacy Policy or ask us about the DPA that has been concluded.

  • Framer is also our service provider for the cookie banner on our website, ensuring compliance with legal requirements for informing about cookie usage and obtaining consent if necessary. For further information please refer to our Cookie Policy.

  • Public authorities: Authorities and state institutions, such as tax authorities, public prosecutors or courts, to which we (have to) transfer personal data, e.g. to fulfil legal obligations or to protect legitimate interests

How long is the data stored?

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of providing the website, this is the case when the respective session ends. The log files are stored […, maximum up to 24 hours] directly and exclusively accessible to administrators. After that, they are only indirectly available through the reconstruction of backup tapes and are finally deleted after […, a maximum of four weeks].

Data security and security measures

We undertake to treat your personal data confidentially. In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress.

However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, unencrypted data - e.g. when sent by e-mail - may be read by third parties. We have no technical influence on this. It is your responsibility as a user to protect the data you provide against misuse by means of encryption or in any other way.

International data transfer

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers may be based outside the EEA in so-called "third countries". The General Data Protection Regulation places high demands on the transfer of personal data to third countries. All our data recipients must fulfil these requirements. Before we transfer your data to a service provider in a third country, each service provider is first checked for its level of data protection. A service provider is only selected if it can demonstrate an adequate level of data protection outside the EEA. Regardless of whether our service providers are based within the EEA or in third countries, each service provider must conclude an order processing agreement with us. Service providers outside the EEA must fulfil additional requirements. In accordance with Art. 44 ff. GDPR, personal data may be transferred to service providers who fulfil at least one of the following requirements:

  • The European Commission has decided that the third country guarantees an adequate level of protection (e.g. Israel and Canada).

  • Standard contractual clauses have been included in our contract with the data recipient (including any additional measures if necessary).

  • Further appropriate safeguards pursuant to 46 GDPR provided (e.g. Binding Corporate Rules).

  • In special exceptional cases in accordance with 49 GDPR

Rights of Data Subjects

a. Right of Access

You can request information about your personal data processed by us according to Art. 15 GDPR.

b. Right to Object

You have the right to object on special grounds (see under Section II).

c. Right to Rectification

If the information concerning you is incorrect (or no longer accurate), you can request rectification according to Art. 16 GDPR. If your data is incomplete, you can request completion.

d. Right to Erasure

You can request the deletion of your personal data according to Art. 17 GDPR.

e. Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data according to Art. 18 GDPR.

f. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a data protection supervisory authority of your choice according to Art. 77(1) GDPR. This includes the data protection supervisory authority responsible for the controller: The State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, https://www.ldi.nrw.de/kontakt/ihre-beschwerde.

g. Right to Data Portability

If the conditions of Art. 20(1) GDPR are met, you have the right to have the data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to third parties. The collection of data for the provision of the website and the storage of log files are essential for the operation of the website. Therefore, they are not based on consent under Art. 6(1)(a) GDPR or on a contract under Art. 6(1)(b) GDPR, but are justified under Art. 6(1)(f) GDPR. Therefore, the conditions of Art. 20(1) GDPR are not met in this respect.

Right to Object under Art. 21(1) GDPR

You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data based on Article 6(1)(f) GDPR. The controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defense of legal claims. The collection of data for the provision of the website and the storage of log files are essential for the operation of the website.