Privacy Policy

Introduction

The protection of your personal data is important to us. This privacy policy explains how your personal data is processed on our website (hereinafter referred to as “Website”) and informs you about your rights under the General Data Protection Regulation (GDPR).

Last updated: August 2024

Data Controller

The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") for the data processing of personal data on our Website is:

Aron Lange
Bgm-Kolb-Ring 5a
89257 Illertissen
Germany

Email: support@grclab.com

Overview of the processing

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

What data is processed for what purpose?

a) When visiting the Website

Each time you access content on the website, data that may allow identification is temporarily stored. The following data is collected:

  • Date and time of access

  • IP address

  • Hostname of the accessing computer

  • Website from which the website was accessed

  • Websites accessed via the website

  • Page visited on our website

  • Notification of whether the access was successful

  • Transferred data volume

  • Information about the browser type and version used

  • Operating system

The temporary storage of data is necessary for the duration of a website visit to enable the delivery of the website. Further storage in log files is carried out to ensure the functionality of the website and the security of information technology systems. These purposes also constitute our legitimate interest according to (Art. 6 (1) (f) GDPR) in data processing.

b) Use of Our Newsletter (ConvertKit)

If you have expressly consented, we will use your email address to send you our newsletter regularly. Providing an email address is sufficient to receive the newsletter. Editions of the newsletter might contain advertisements and information about products and services provided by 'The GRC Lab' and its partners.

After entering your personal data, you will receive a confirmation E-Mail to the E-Mail address provided. The newsletter will only be sent after explicit confirmation by clicking on a link in the confirmation E-mail (so-called double opt-in).

You can unsubscribe at any time, for example, via a link at the end of each newsletter. Alternatively, you can send your unsubscribe request to support@grclab.com via email at any time.

The data processing for the purpose of sending the newsletter is based on your explicit consent in accordance with Art. 6(1)(a) GDPR.

For the provision of the newsletter we use an external service provider, ConvertKit, Inc. (“ConvertKit”). Your personal data will be passed on to ConvertKit in order to provide the services. ConvertKit is based in the United States, therefore it is possible that the personal data collected is transferred to the United States. ConvertKit is certified according to the EU-U.S. Privacy Framework, which is why such transfers are based on the legal basis according to Article 45 GDPR. For more information, please refer to ConvertKit’s Privacy Policy (https://convertkit.com/gdpr) or ask us about the DPA that has been concluded.

c) Use of Our Online Courses and Digital Products (Teachable)

We offer online courses and digital products through the Teachable platform on our website. If you register for our courses, the personal data you provide during registration (e.g., name, email address, payment information) will be processed by Teachable.

Teachable is a third-party provider that processes your data in accordance with Teachable’s privacy policy. For more information on how Teachable processes your data, please refer to the Teachable Privacy Policy.

The data processing through Teachable is necessary for the performance of a contract under Art. 6(1)(b) GDPR and, where applicable, based on your consent in accordance with Art. 6(1)(a) GDPR.

For the provision of the online courses and digital products we use an external service provider, Teachable, Inc. / Hotmart B.V. (“Teachable”). Your personal data will be passed on to Teachable to provide the services. It is possible that the personal data collected is transferred to the affiliates of Framer B.V. and therefore transferred to the United States. Such transfers are based on the legal basis according to Article 46 GDPR, specifically on Standard Contractual Clauses which were concluded. For more information, please refer to Teachable’s Privacy Policy or ask us about the DPA that has been concluded.

d) Use of Our Contact Form

If you use the contact form on our website, the information you provide (e.g., name, email address, message) will be sent to us via email. This data is processed solely for the purpose of responding to your inquiry.

The legal basis for processing the data transmitted through the contact form is Art. 6(1)(b) GDPR (necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract) or Art. 6(1)(f) GDPR (legitimate interests in responding to inquiries).

e) Contact by E-Mail

On our Website, we offer you the opportunity to contact us by E-Mail. When you contact us, the personal data you provide such as title, name, content of the e-mail and your e-mail address, will be processed.

This data is processed by us for the purpose of enabling us to process your enquiry properly. If you contact us by e-mail, your personal data will not be passed on to third parties.

The data processing described above for the purpose of establishing contact is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in being able to process your enquiry. If your enquiry serves to prepare the conclusion of a contract, Art. 6 para. 1 lit. b GDPR is an additional legal basis.

As soon as your enquiry has been dealt with and the matter in question has been conclusively clarified, your personal data processed via the contact form will be deleted. Further storage may take place in individual cases if this is required by law or is necessary for the fulfilment of the contract.

Are there any other recipients of the personal data besides the controller?

  • For the hosting of the Website we use an external service provider, Framer B.V., Framer Inc. and its respective affiliates (“Framer”). Your personal data will be passed on to Framer in order to provide the services. IT is possible that the personal data collected is transferred to the affiliates of Framer B.V. and therefore transferred to the United States. Such transfers are based on the legal basis according to Article 46 GDPR, specifically on Standard Contractual Clauses which were concluded. For more information, please refer to Framer’s Privacy Policy or ask us about the DPA that has been concluded.

  • Framer is also our service provider for the cookie banner on our website, ensuring compliance with legal requirements for informing about cookie usage and obtaining consent if necessary. For further information please refer to our Cookie Policy.

  • Public authorities: Authorities and state institutions, such as tax authorities, public prosecutors or courts, to which we (have to) transfer personal data, e.g. to fulfil legal obligations or to protect legitimate interests

How long is the data stored?

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of providing the website, this is the case when the respective session ends. The log files are stored […, maximum up to 24 hours] directly and exclusively accessible to administrators. After that, they are only indirectly available through the reconstruction of backup tapes and are finally deleted after […, a maximum of four weeks].

Data security and security measures

We undertake to treat your personal data confidentially. In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress.

However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, unencrypted data - e.g. when sent by e-mail - may be read by third parties. We have no technical influence on this. It is your responsibility as a user to protect the data you provide against misuse by means of encryption or in any other way.

International data transfer

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers may be based outside the EEA in so-called "third countries". The General Data Protection Regulation places high demands on the transfer of personal data to third countries. All our data recipients must fulfil these requirements. Before we transfer your data to a service provider in a third country, each service provider is first checked for its level of data protection. A service provider is only selected if it can demonstrate an adequate level of data protection outside the EEA. Regardless of whether our service providers are based within the EEA or in third countries, each service provider must conclude an order processing agreement with us. Service providers outside the EEA must fulfil additional requirements. In accordance with Art. 44 ff. GDPR, personal data may be transferred to service providers who fulfil at least one of the following requirements:

  • The European Commission has decided that the third country guarantees an adequate level of protection (e.g. Israel and Canada).

  • Standard contractual clauses have been included in our contract with the data recipient (including any additional measures if necessary).

  • Further appropriate safeguards pursuant to 46 GDPR provided (e.g. Binding Corporate Rules).

  • In special exceptional cases in accordance with 49 GDPR

Rights of Data Subjects

a. Right of Access

You can request information about your personal data processed by us according to Art. 15 GDPR.

b. Right to Object

You have the right to object on special grounds (see under Section II).

c. Right to Rectification

If the information concerning you is incorrect (or no longer accurate), you can request rectification according to Art. 16 GDPR. If your data is incomplete, you can request completion.

d. Right to Erasure

You can request the deletion of your personal data according to Art. 17 GDPR.

e. Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data according to Art. 18 GDPR.

f. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a data protection supervisory authority of your choice according to Art. 77(1) GDPR. This includes the data protection supervisory authority responsible for the controller: The State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, https://www.ldi.nrw.de/kontakt/ihre-beschwerde.

g. Right to Data Portability

If the conditions of Art. 20(1) GDPR are met, you have the right to have the data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to third parties. The collection of data for the provision of the website and the storage of log files are essential for the operation of the website. Therefore, they are not based on consent under Art. 6(1)(a) GDPR or on a contract under Art. 6(1)(b) GDPR, but are justified under Art. 6(1)(f) GDPR. Therefore, the conditions of Art. 20(1) GDPR are not met in this respect.

Right to Object under Art. 21(1) GDPR

You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data based on Article 6(1)(f) GDPR. The controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defense of legal claims. The collection of data for the provision of the website and the storage of log files are essential for the operation of the website.