Privacy Policy

[DRAFT – TO BE REVIEWED LEGALLY] This document is a content draft for the privacy policy of the website at ingenieurbüro-wolff.de (Punycode xn--ingenieurbrowolff-c3b.de). It serves as a structured working basis and does not constitute legal advice. Before publication, a review by a lawyer or qualified data protection specialist is mandatory. All items marked with [PLACEHOLDER – to be verified legally] must be verified and, where applicable, completed before going live (in particular the hosting provider, the services used, retention periods, and processors).

1. Data Controller and Privacy at a Glance

1.1 Data Controller within the Meaning of the GDPR

The controller responsible for the processing of data on this website is:

Patrick Wolff Ingenieurbüro Wolff Im Korn 9 71636 Ludwigsburg Germany

E-mail: info@wolffappliedai.de Phone: +49 7141 4737771 Mobile: +49 151 23346207

Note: The associated mandatory details (e.g. VAT identification number) can be found in the Imprint (Impressum). Where a VAT identification number or a statutory/professional supervisory authority applies, these details are to be provided there. [PLACEHOLDER – to be verified legally]

1.2 Data Protection Officer

The appointment of a data protection officer is not legally required in every case. Whether Ingenieurbüro Wolff is subject to an obligation to appoint one (cf. Section 38 BDSG, Art. 37 GDPR) must be assessed on a case-by-case basis.

[PLACEHOLDER – to be verified legally] (Whether an appointment is mandatory, and any contact details, must be verified legally. If there is no such obligation, this section may be omitted or replaced by a corresponding note.)

1.3 Principles of This Website

This website is implemented as a static website and designed according to the principle of data minimisation (Art. 5(1)(c) GDPR):

  • No tracking or analytics cookies and no tracking services without your prior consent.
  • No integration of external advertising or profiling networks.
  • Self-hosted fonts – no loading from third-party CDNs (e.g. no Google Fonts CDN).
  • Interactive tools (e.g. maturity check, use-case finder, potential calculator) process your inputs exclusively locally in your browser; no transmission to us or to third parties takes place.
  • Chatbot, voicebot, and telephone/voice services are disabled by default and – if activated in the future – will be made transparent through separate notices (see Section 9).

2. General Information on Data Processing

2.1 Scope of the Processing of Personal Data

As a matter of principle, we process personal data of our users only insofar as this is necessary to provide a functional website as well as our content and services. Processing generally takes place only with the user’s consent or, where prior consent cannot be obtained for factual reasons and the processing is permitted by statutory provisions.

2.2 Definitions

This privacy policy uses the terms of the General Data Protection Regulation (GDPR), in particular “personal data” (Art. 4(1) GDPR), “processing” (Art. 4(2) GDPR), “controller” (Art. 4(7) GDPR), and “processor” (Art. 4(8) GDPR).

Where we obtain the consent of the data subject for processing operations, Art. 6(1)(a) GDPR serves as the legal basis. For processing necessary for the performance of a contract or for the implementation of pre-contractual measures, Art. 6(1)(b) GDPR serves as the legal basis. Insofar as processing is necessary for compliance with a legal obligation, Art. 6(1)(c) GDPR applies. Where processing is based on our legitimate interests or those of a third party, Art. 6(1)(f) GDPR serves as the legal basis.

The respective applicable legal basis is named specifically in the following sections.

3. Provision of the Website and Hosting (Server Log Files)

3.1 Description and Scope of Processing

Each time this website is accessed, the hosting provider’s system automatically collects data and information from the system of the accessing computer. The following data may be recorded in server log files:

  • IP address of the requesting device (possibly shortened/anonymised – see below),
  • date and time of access,
  • name and URL of the file retrieved or the page accessed,
  • volume of data transferred,
  • notification of successful retrieval (HTTP status code),
  • browser type and version used,
  • the user’s operating system,
  • the website from which access is made (referrer URL), where transmitted.

This data serves the technical delivery of the website, the assurance of IT security (e.g. defence against attacks, detection of misuse), as well as stability and error analysis. A combination of this data with other data sources for the purpose of creating user profiles does not take place.

Recommendation: Insofar as the hosting provider allows shortening/anonymisation of the IP address in the logs, this should be enabled. [PLACEHOLDER – to be verified legally] (Verify the actual scope of log data and IP anonymisation with the host.)

The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the technically error-free provision and the security of our website.

3.3 Storage Period

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collected to provide the website, this is the case when the respective session has ended. Server log files are generally deleted or anonymised after a defined period.

[PLACEHOLDER – to be verified legally] (Enter the specific storage period for the server log files (e.g. 7, 14, or 30 days) in accordance with the host’s configuration/data processing agreement.)

3.4 Hosting Provider and Processing on Our Behalf

The website is hosted by an external service provider (hosting provider). The provider processes the above-mentioned data on our behalf. With the provider there is – where required – a data processing agreement (DPA) pursuant to Art. 28 GDPR, which ensures processing in compliance with data protection law.

[PLACEHOLDER – to be verified legally] (Enter the name and address of the hosting provider, the server location (preferably EU/EEA), and the existence of a DPA; for transfers to third countries see Section 10.)

4. Cookies and Local Storage

4.1 Technically Necessary Storage

This website does not use any tracking, analytics, or marketing cookies and does not integrate any consent-requiring third-party services that would set cookies without consent.

Insofar as technically strictly necessary storage operations take place (e.g. to ensure basic functions or security), this is done on the basis of Section 25(2) TDDDG (technically strictly necessary) in conjunction with Art. 6(1)(f) GDPR. Under the applicable legal situation, no consent is required for such strictly necessary operations.

4.2 Local Browser Storage by Interactive Tools

The interactive tools of this website (see Section 6) may – if you use them – store data in the local storage of your browser (localStorage), for example to retain your inputs or interim results. This data:

  • remains exclusively on your device,
  • is not transmitted to us or to third parties,
  • can be deleted by you at any time via a reset/delete function in the tool or via your browser settings.

4.3 Consent-Requiring Cookies / Consent

Should a consent-requiring service be integrated in the future, its activation will only take place after your express consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG) via a corresponding consent banner. In this case, this privacy policy will be adapted accordingly beforehand.

5. Contacting Us

5.1 Contact Form

This website offers a data-minimising contact form. Via the form you can send us a message. Only the data required for processing is collected:

  • the contact details you provide (e.g. name, e-mail address, optionally company/phone),
  • the content of your message,
  • where applicable, the technical timestamp of the transmission.

Mandatory fields are limited to the necessary minimum; additional information is voluntary. You should not enter any special categories of personal data (Art. 9 GDPR) in free-text fields.

Protective Measures / Data Minimisation

  • Active consent: Before sending, you confirm by ticking a checkbox that your details may be processed to handle the enquiry (no pre-selected box).
  • Honeypot method: To protect against automated spam, a form field that is invisible to you (“honeypot”) is used. If this field is filled in, the submission is classified as spam and discarded. The method works without tracking, without cookies, and without analysis of personal behavioural data.

Transmission Path

The processing of the form is designed so that the data is transmitted to us via a configurable endpoint. Depending on the configuration, one of the following paths is used:

  1. Form endpoint (dispatch service): The form data is forwarded to us via a technical endpoint. If an external service provider is used for this, it processes the data on our behalf on the basis of a DPA (Art. 28 GDPR). [PLACEHOLDER – to be verified legally] (Enter the name/address of the form/dispatch service provider, server location, and DPA, if used.)
  2. mailto fallback: Alternatively, the form may be configured so that, on submission, your local e-mail program opens and you send the message directly by e-mail to us. In this case, no server-side processing via a third-party service takes place; the general information on contacting us by e-mail applies (Section 5.2).

5.2 Contacting Us by E-mail, Phone, or Post

If you contact us by e-mail, phone, or post, your details (e.g. name, contact data, content of the enquiry) are processed and stored to handle your request. With communication by e-mail, full transport encryption cannot be guaranteed in all cases; for confidential content, an alternative, secure transmission path can be arranged.

The legal basis for the processing of the data transmitted in the course of contacting us is:

  • Art. 6(1)(a) GDPR (consent), insofar as you expressly consent via the contact form; consent may be withdrawn at any time with effect for the future.
  • Art. 6(1)(b) GDPR, insofar as contacting us is aimed at concluding or performing a contract (pre-contractual measures).
  • Art. 6(1)(f) GDPR (legitimate interest in responding to general enquiries).

5.4 Storage Period

We delete the data as soon as it is no longer required to achieve the purpose for which it was collected. For enquiries, this is generally the case once the respective matter has been conclusively dealt with and it is apparent from the circumstances that the matter has been resolved. Any statutory retention obligations (e.g. commercial and tax law periods under the HGB/AO) remain unaffected.

[PLACEHOLDER – to be verified legally] (Define the specific retention/deletion periods.)

6. Interactive Tools (Local Processing in the Browser)

This website provides interactive self-service tools, in particular:

  • Maturity check (self-assessment of AI maturity),
  • Use-case finder (assistance in identifying suitable use cases),
  • Potential/benefit calculator (rough estimate of potentials).

6.1 Functioning and Data Processing

These tools are designed so that all calculations and the processing of your inputs take place exclusively locally in your browser:

  • Your inputs are not transmitted to our server and not to third parties.
  • There is no server-side storage of your inputs.
  • Optionally, inputs/results may be stored for convenience in the local browser storage (localStorage) so that they are retained on a return visit (see Section 4.2). This data remains on your device.
  • Via a reset/delete function, you can remove locally stored data yourself at any time.

Since the mere use of the tools involves no transmission of personal data to us, there is no processing by us within the meaning of the GDPR in this respect. Insofar as technically necessary local storage takes place for the function, this is based on Section 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR.

Should you decide to subsequently transmit the results determined in a tool to us voluntarily via the contact form or by e-mail (e.g. to request a consultation), the information in Section 5 applies.

Content note: The results of the tools serve as non-binding orientation and do not replace an individual professional or legal review. In particular, they do not constitute legal advice.

7. Self-Hosted Fonts and Other Content

7.1 Fonts

For a consistent presentation of fonts, this website uses self-hosted fonts. The font files are delivered directly from the server of this website (or of the hosting provider). A connection to third-party servers (e.g. Google Fonts CDN) does not take place for this purpose; no data is transmitted to third-party providers in this respect.

7.2 Embedded Media and External Content

External content (e.g. embedded maps, videos, social media plugins) is not integrated without further consideration, insofar as it would establish a connection to third-party servers or transmit data to third parties. Should such a service be used in the future, it will be described separately in this privacy policy and – where required – only activated after consent.

[PLACEHOLDER – to be verified legally] (If maps, videos, or other third-party content are integrated, add details here.)

8. Recipients and Processing on Our Behalf

Your personal data is transmitted to third parties only where this is legally permissible, you have consented, or this is necessary for the performance of a contract.

Processors: Insofar as we use external service providers (e.g. hosting provider, possibly a form/dispatch service) that process personal data on our behalf, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR. The service providers are bound by our instructions and are carefully selected and monitored.

[PLACEHOLDER – to be verified legally] (Maintain a conclusive list of all processors used, with purpose, provider, location, and a note on the DPA.)

9. Chatbot, Voicebot, and Voice Services

Any dialogue-based functions such as a chatbot, voicebot, or telephone/voice assistance services are disabled by default on this website. They are controlled by a technical feature flag and are not active in the delivered state; in this respect, no external SDKs are integrated and no data is transmitted to corresponding services.

Should such functions be activated in the future, the following applies:

  • Separate, dedicated privacy notices will be provided for the respective service (nature and scope of the data processed, provider, legal basis, storage period, and any third-country transfer).
  • For speech- or dialogue-based AI services, the machine nature of the service will be transparently disclosed (also with regard to the transparency requirements of the EU AI Act).
  • Activation involving the transmission of personal data to third parties takes place – where required – only after consent (Art. 6(1)(a) GDPR).

[PLACEHOLDER – to be verified legally] (On activation: link a separate document “chatbot-voicebot-hinweise.md” and add the specific providers/processing operations; observe the transparency obligations of the EU AI Act (technical-organisational, not legal advice).)

10. Data Transfers to Third Countries

A transfer of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) is not intended, provided that the services used (in particular hosting) are operated within the EU/EEA.

Should processing nevertheless take place in a third country in an individual case (e.g. by a service provider), this is done only in compliance with the requirements of Art. 44 et seq. GDPR, for example on the basis of an adequacy decision of the EU Commission, by means of Standard Contractual Clauses (SCC), or other appropriate safeguards.

[PLACEHOLDER – to be verified legally] (Check the actual third-country relevance of the services used and name the safeguards.)

11. Data Security

We take appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR to protect the data processed via this website against accidental or unlawful processing, loss, alteration, and unauthorised access. This includes in particular transport encryption (TLS/HTTPS) when accessing the website. Our security measures are continuously improved in line with technological developments.

12. Rights of Data Subjects

As a data subject, you have the following rights with regard to your personal data:

  • Access (Art. 15 GDPR) – to the data stored about you.
  • Rectification (Art. 16 GDPR) – of inaccurate or incomplete data.
  • Erasure (Art. 17 GDPR) – “right to be forgotten”, insofar as no statutory retention obligations stand in the way.
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR) – receipt of your data in a structured, commonly used, machine-readable format.
  • Objection (Art. 21 GDPR) – to processing based on Art. 6(1)(f) GDPR, on grounds relating to your particular situation.
  • Withdrawal of consent (Art. 7(3) GDPR) – at any time with effect for the future; the lawfulness of the processing carried out until withdrawal remains unaffected.

To exercise your rights, an informal notification to the controller named in Section 1.1 is sufficient.

12.1 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other remedies, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

The authority responsible for the controller’s registered office (Baden-Württemberg) is:

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI BW) Lautenschlagerstraße 20, 70173 Stuttgart, Germany Website: www.baden-wuerttemberg.datenschutz.de

[PLACEHOLDER – to be verified legally] (Verify the competence and contact details of the supervisory authority before publication.)

13. Existence of Automated Decision-Making

Automated decision-making, including profiling, within the meaning of Art. 22 GDPR does not take place on this website.

14. Validity and Amendment of This Privacy Policy

This privacy policy is currently valid and has the status indicated below. As a result of the further development of the website, the addition of new functions (e.g. activation of a chatbot/voicebot, integration of new services), or due to changed legal or regulatory requirements, it may become necessary to amend this privacy policy. The respective current version can be accessed at any time on this website.

Status: 2026-06-17 · Draft, subject to legal/professional review