Controller

The controller within the meaning of data protection laws, in particular the EU General Data Protection Regulation (GDPR), is:

Benedict Bordewicz
Karlsbader Str. 138
09456 Annaberg-Buchholz

Email: info@craftiqflow.ai

Your Rights as a Data Subject

Using the contact details provided, you may exercise the following rights at any time under the EU General Data Protection Regulation (GDPR):

• Access to your data stored with us and information about its processing (Art. 15 GDPR),
• Rectification of inaccurate personal data (Art. 16 GDPR),
• Erasure of your data stored with us (Art. 17 GDPR),
• Restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 GDPR),
• Objection to the processing of your data (Art. 21 GDPR), and
• Data portability, if you have consented to data processing or have concluded a contract with us (Art. 20 GDPR).

If you have given us consent, you may revoke it at any time with effect for the future.

You can manage your consent here:

You may also lodge a complaint at any time with a supervisory authority, e.g., the competent supervisory authority of your place of residence, or the authority responsible for us as the controller.

A list of supervisory authorities (for the non-public sector) including their addresses can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Processing Activities

Collection of General Information When Visiting Our Website

Type and Purpose of Processing

When you access our website, i.e., if you do not register or otherwise submit information, general information is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your internet service provider, your IP address, and similar data.

This information is processed in particular for the following purposes:

• Ensuring a smooth connection to the website,
• Ensuring smooth use of our website,
• Ensuring and evaluating system security and stability, in particular for detecting misuse, and
• For the technically error-free display and optimization of the website.

We do not use your data to draw conclusions about your person. However, we reserve the right to subsequently review server log files if there are specific indications of unlawful use.

Legal Basis and Legitimate Interest

The processing is carried out pursuant to Art. 6 (1) (f) GDPR based on our legitimate interest in improving the stability and functionality of our website as well as ensuring system security and detecting misuse.

Recipients

The recipients of the data may be technical service providers who act as data processors for the operation and maintenance of our website.

Storage Period

Data in server log files, which may allow identification of the individuals concerned, are stored for a maximum of 30 days unless a security-relevant event occurs (e.g., a DDoS attack).

In the event of such an incident, server log files are stored until the security-related event has been resolved and fully investigated.

Provision Prescribed or Required

The provision of the above-mentioned personal data is neither legally nor contractually required. However, without the IP address, the service and the functionality of our website cannot be guaranteed. Furthermore, individual services and functionalities may be unavailable or limited.

Objection

Please also read the information on your right to object under Art. 21 GDPR below.

Newsletter

Type and Purpose of Processing

For the delivery of our newsletter or similar information, we collect personal data submitted to us via an input form.

A valid email address is required for a successful registration. To verify that a registration is actually made by the owner of an email address, we use the double opt-in procedure. This involves recording the newsletter signup, sending a confirmation email, and the receipt of the requested confirmation response. No further data is collected.

At the time of submitting the signup form, the following data will also be stored:

Legal Basis

Based on your explicit consent (Art. 6 (1) (a) GDPR), we will regularly send you our newsletter or comparable information by email to your specified address.

Recipients

We use a service provider for sending newsletters, who acts as our data processor.

Storage Period

The data is only processed in this context as long as the corresponding consent exists.

Provision Prescribed or Required

The provision of your personal data is voluntary and based solely on your consent. Without existing consent, we cannot send you our newsletter.

Withdrawal of Consent

You may withdraw your consent to the storage of your personal data and its use for the newsletter distribution at any time with effect for the future. You can unsubscribe either via the link provided in each newsletter or via the contact information provided in this Privacy Policy.

Appointment booking

Purpose of processing
When you request an appointment on our website, we process your details (e.g., name, email, desired time, optional notes) to check availability and create the event in our Microsoft 365 calendar. A Microsoft Teams meeting link can be generated and the invitation email is sent via Microsoft Exchange Online.

Categories of data
Name, email address, requested time slot (start/end, duration), optional notes, technical metadata (e.g., timestamps, request IDs), and calendar fields (subject, attendees, optional online-meeting link). For security, we use email confirmation (double opt-in), HMAC signatures, and anti-spam CAPTCHA/Turnstile.

Legal bases (Art. 6 GDPR)

• Art. 6(1)(b) GDPR (contract / pre-contractual steps) to arrange the appointment,

• Art. 6(1)(f) GDPR (legitimate interests) for security and abuse prevention (e.g., CAPTCHA, minimal logging).
  Marketing use occurs only with separate consent (Art. 6(1)(a) GDPR).

Recipient / Processor
We use Microsoft 365 (Microsoft Ireland Operations Limited) as our processor for calendar and email. Microsoft processes Customer Data under the Microsoft Data Protection Addendum (DPA) and provides appropriate safeguards (including Standard Contractual Clauses). For many online services, Microsoft’s EU Data Boundary keeps processing within the EU/EFTA; limited scenarios (e.g., support/telemetry) may still involve restricted transfers with DPA safeguards. For details see Microsoft Cloud Privacy.

International transfers
Our Tenant is in Europe. Where transfers outside the EU/EEA occur (e.g. telemetric data), they rely on the EU Standard Contractual Clauses and the additional measures described in the DPA.

Retention
Confirmation tokens expire quickly (typically ~30 minutes). Calendar entries remain until deleted/archived under our organizational retention rules. Technical logs are rotated and deleted periodically. We will provide concrete periods on request.

Necessity / refusal
We cannot arrange an appointment without your name, email and desired time; without confirmation (double opt-in) the reservation expires.

Spam/Abuse Protection (Cloudflare Turnstile)

On selected forms we use Cloudflare Turnstile provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Turnstile helps us detect automated access (bots) and prevent abusive use of our forms.

Categories of data processed: technical telemetry such as IP address, user agent, referrer/page URL, timestamps and browser-provided signals required to distinguish genuine users from automated requests. Form field contents are not sent to Cloudflare for this check.

Purposes: safeguarding forms against spam/abuse; ensuring availability and security of our online services.

Legal basis: depending on implementation,

• Art. 6(1)(a) GDPR (consent) where Turnstile is loaded only after your consent (e.g., via a consent banner) — you can withdraw consent at any time with future effect; or

• Art. 6(1)(f) GDPR (legitimate interests) in providing a secure website and defending against automated attacks.

Recipients/third-country transfer: Cloudflare, Inc. (USA). Adequate protection is ensured, inter alia, by Standard Contractual Clauses (SCCs).

Retention: Cloudflare processes the above signals only as long as necessary for bot detection and service operation. We do not permanently store Turnstile check data.

Requirement/Provision: The check is required to submit forms securely. Without a successful Turnstile check, form submission may be blocked.

Objection/withdrawal: If Turnstile is based on consent, you may withdraw it in the cookie settings at any time. Where we rely on legitimate interests, you may object on grounds relating to your particular situation (Art. 21 GDPR).

For more information, please refer to Cloudflare’s privacy information pages.

Cookies

A cookie is a small data file that is created when a website is visited and temporarily stored on the system of the website visitor. When the server of this website is called again by the user, the browser of the user sends the previously stored cookie back to the server. The server can evaluate the information obtained through this procedure. Cookies can make it easier to navigate a website.

Detailed information about cookies and which cookies are used for which purpose on this website can be accessed at any time in the cookie settings.

Deleting Cookies

You can delete individual cookies or the entire cookie inventory. You can also find information and instructions on how to delete these cookies or block their storage in advance. Depending on your browser provider, you can find the necessary instructions at the following links:

• Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-loeschen-daten-von-websites-entfernen
• Microsoft Edge: https://support.microsoft.com/de-de/windows/verwalten-von-cookies-in-microsoft-edge-anzeigen-zulassen-blockieren-l%C3%B6schen-und-verwenden-168dab11-0753-043d-7c16-ede5947fc64d
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=de
• Opera: http://www.opera.com/de/help
• Safari: https://support.apple.com/kb/PH17191?locale=de_DE&viewlocale=de_DE

You can also generally prevent the loading of so-called scripts. For example, NoScript only allows JavaScript, Java, and other plugins to run on trusted domains of your choice.

Information and instructions on how to configure this feature can be obtained from your browser provider (e.g., for Mozilla Firefox: https://addons.mozilla.org/de/firefox/addon/noscript/).

Technically Necessary Cookies

Type and Purpose of Processing

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

An overview of the cookies used can be found in our cookie consent tool.. For the following applications we require cookies:

Legal Basis and Legitimate Interest

The data processing is carried out solely based on our legitimate interest in a user-friendly design of our website and in documenting consent pursuant to Art. 6 (1) (f) GDPR in conjunction with a balancing of interests under §25 (2) TDDDG.

Recipients

The recipients of the data may be technical service providers who act as data processors for the operation and maintenance of our website.

Storage Period

The respective storage duration of the cookies can be found in our cookie consent tool.

Provision Prescribed or Required

The provision of the above-mentioned personal data is neither legally nor contractually required. However, without this data, the service and the functionality of our website cannot be guaranteed. Furthermore, individual services and functionalities may be unavailable or limited.

Objection

Please also read the information on your right to object under Art. 21 GDPR below.

Information on Your Right to Object under Art. 21 GDPR

Right to Object on a Case-by-Case Basis

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 (1) (f) GDPR (data processing based on a balancing of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

Recipient of an Objection

Benedict Bordewicz
Karlsbader Str. 138
09456 Annaberg-Buchholz

Email: info@craftiqflow.ai

Changes to Our Privacy Policy

We reserve the right to amend this privacy policy to ensure that it always complies with current legal requirements or to reflect changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your next visit.

Questions about Data Protection

If you have any questions about data protection, please email the controller mentioned above.

Last updated: 09.09.2025