Privacy

Privacy Policy

Information about the processing of your personal data

Contents

    Last updated: 30 March 2026

    1. Privacy at a Glance

    General Information

    The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified.

    Who is responsible for data collection on this website?

    Data processing on this website is carried out by:

    Fluxward Consulting GbR
    represented by David Rofall and Frederic Baltes
    In Gerichhausen 23 A
    41844 Wegberg
    Deutschland
    Email: hello@fluxward.com

    2. Hosting

    This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel is certified under the EU-U.S. Data Privacy Framework. When you access this website, the hosting provider processes technically required connection data, including IP address, time of access, data volume transferred, and requested files.

    Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable website provision).
    Third-country transfer: USA, secured by EU-U.S. Data Privacy Framework.
    Details: https://vercel.com/legal/privacy-policy

    3. General Information and Mandatory Disclosures

    Data Protection

    The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

    Data Protection Officer

    We are not legally required to appoint a Data Protection Officer, as fewer than 20 persons in our company are regularly engaged in the automated processing of personal data (§ 38(1) BDSG). For data protection enquiries, please contact: hello@fluxward.com

    Data Processing Agreements

    We have entered into Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR with all service providers that process personal data on our behalf. This includes: Vercel (hosting), Supabase (database), OpenAI (AI contact processing), Anthropic (AI evaluation), Microsoft (email, scheduling), and Plausible Analytics (web analytics).

    Storage Duration

    Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data.

    Revocation of Consent

    Many data processing operations are only possible with your express consent. You can revoke consent already given at any time. The legality of data processing carried out before revocation remains unaffected.

    Right to Object (Art. 21 GDPR)

    If data processing is based on Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation.

    Right to Lodge a Complaint

    In the event of violations of the GDPR, data subjects have a right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

    Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
    Kavalleriestr. 2-4, 40213 Düsseldorf, Germany
    https://www.ldi.nrw.de

    SSL/TLS Encryption

    This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content.

    4. Data Collection on This Website

    Cookies and Local Storage

    This website does not use cookies for tracking or analytics purposes. Only your chosen display mode (light/dark) is stored in your browser's localStorage. This is a purely technical function that does not collect personal data and is not transmitted to servers.

    Note on embedded third-party content: On our contact page, a Microsoft Outlook Bookings calendar can be embedded. The calendar is only loaded after your active consent (click on "Load calendar"). No connection to Microsoft servers is established before your click. After activation, Microsoft may set its own cookies.

    Contact Form

    When you send us enquiries via the contact form, your details are stored for the purpose of processing your request.

    AI-assisted pre-processing: Your contact enquiry is pre-processed using AI services from OpenAI, L.L.C. (USA). This includes generating an internal summary of your enquiry, an urgency assessment, and a draft reply. This pre-processing serves exclusively to improve our internal response efficiency. Draft replies are always reviewed by a team member before sending — no automated responses are sent.

    Email draft creation: Based on the AI pre-processing, draft replies are created in the Fluxward email mailbox via the Microsoft Graph API. Your name and email address are transmitted to Microsoft servers for this purpose. Drafts are only sent after manual review.

    Data collected: Name, email, company (optional), message, IP address, user agent, timestamp.
    Legal basis: Art. 6(1)(a) GDPR (consent via checkbox) and Art. 6(1)(b) GDPR (pre-contractual measures).
    Storage period: Until full processing; then per statutory retention periods (max. 6 years per § 257 HGB).
    Spam protection: Honeypot field for automated bot detection.
    Rate limiting: Durable server-side throttling via Upstash Redis. For this purpose, a hashed client fingerprint is derived from the client IP and processed only in that protected form.

    Storage in Supabase

    Contact submissions and AI readiness evaluations are stored in our database at Supabase, Inc. (USA), certified under the EU-U.S. Data Privacy Framework.

    Details: https://supabase.com/privacy

    AI-Assisted Processing

    We use AI services for two clearly defined purposes:

    a) Contact enquiries — OpenAI, L.L.C. (USA)

    Incoming contact enquiries are pre-structured using the OpenAI API (model: GPT-4.1-mini). Processing includes: summary of the enquiry, urgency assessment (low / medium / high), recommended next steps, and a draft reply. Data submitted via the API is not used by OpenAI for model training.

    Legal basis: Art. 6(1)(a) GDPR (consent via checkbox) and Art. 6(1)(f) GDPR (legitimate interest in efficient processing).
    Third-country transfer: USA, secured by DPA with OpenAI and Standard Contractual Clauses (SCCs).
    Details: https://openai.com/policies/privacy-policy/

    b) AI Readiness Evaluation — Anthropic, PBC (USA)

    The personalised assessment of the AI Readiness Check (/en/ai-check) is generated using the Anthropic Claude API (model: Claude Sonnet). Your questionnaire responses (industry, company size, role, AI status, goals, contact details) are transmitted to Anthropic to generate an individual assessment. The assessment includes: readiness level (beginner / intermediate / advanced), use case recommendations, estimated time savings, and a recommended consulting offer.

    Data submitted via the API is not used by Anthropic for model training.

    Legal basis: Art. 6(1)(a) GDPR (consent via checkbox) and Art. 6(1)(b) GDPR (pre-contractual measures).
    Third-country transfer: USA, secured by DPA with Anthropic and Standard Contractual Clauses (SCCs).
    Details: https://www.anthropic.com/legal/privacy

    AI Readiness Evaluation (/en/ai-check)

    On our AI check page, you can complete an AI readiness assessment. Data collected includes:

    • Company information: industry, size, role
    • AI status: current usage, biggest challenge, routine work hours
    • Goals: primary goal, timeframe, budget (optional)
    • Contact details: name, email, company, phone (optional)

    Legal basis: Art. 6(1)(a) GDPR (consent via checkbox) and Art. 6(1)(b) GDPR (pre-contractual measures).
    Processing: Storage in Supabase, AI-assisted evaluation via Anthropic Claude API (see "AI-Assisted Processing", section b).
    Storage period: 12 months, then deleted unless a contractual relationship has been established.

    5. Website Functions and Services

    Microsoft Outlook Bookings

    On our contact page, a booking calendar from Microsoft Outlook Bookings can be embedded. The calendar is only loaded after your active consent (click on "Load calendar"). No connection to Microsoft servers is established before your click. After activation, Microsoft may set its own cookies and process technical data (IP address, browser, timestamp).

    Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient scheduling).
    Third-country transfer: USA, secured by EU-U.S. Data Privacy Framework.
    Details: https://privacy.microsoft.com/en-us/privacystatement

    6. Your Rights

    • Right of access (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR) — You can request your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
    • Right to object (Art. 21 GDPR)
    • Right to withdraw consent
    • Right to lodge a complaint with the supervisory authority (LDI NRW)

    To exercise your rights, contact us at: hello@fluxward.com

    7. Automated Decision-Making and Profiling (Art. 13(2)(f) GDPR)

    As part of processing your data, we employ AI-based procedures that automatically assess certain aspects (profiling):

    • Contact form: Incoming enquiries are automatically classified by urgency (low / medium / high) and subject matter.
    • AI Readiness Check: Your questionnaire responses are automatically evaluated to determine a readiness level (beginner / intermediate / advanced) and matching recommendations.

    No solely automated decisions: In no case are decisions with legal effect or similarly significant impact made solely by automated means (Art. 22 GDPR). All AI-generated results are reviewed by a team member before any business-relevant decision is taken. AI evaluations serve exclusively as internal decision support and recommendations.

    8. Third-Country Transfers

    We use services from companies based in the USA. For all US service providers that process personal data, we ensure an adequate level of data protection — either through the EU-U.S. Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), or individual Data Processing Agreements (DPAs).

    • Vercel Inc. (Hosting) — EU-U.S. Data Privacy Framework
    • Supabase Inc. (Database) — DPA + Standard Contractual Clauses (SCCs)
    • Upstash, Inc. (Rate Limiting / Redis) — DPA + Standard Contractual Clauses (SCCs)
    • OpenAI L.L.C. (AI Contact Processing) — DPA + Standard Contractual Clauses (SCCs)
    • Anthropic, PBC (AI Evaluation) — DPA + Standard Contractual Clauses (SCCs)
    • Microsoft Corporation (Scheduling, Email, Graph API) — EU-U.S. Data Privacy Framework

    Plausible Insights OÜ (web analytics) is based in Estonia (EU) and processes all data within the EU — no third-country transfer takes place.

    9. Changes to This Privacy Policy

    This privacy policy is currently valid as of March 2026. Due to the ongoing development of our website or changes in legal requirements, it may become necessary to update this policy. The current version can always be accessed on this page.