DE EN
Book a meeting

Privacy

Privacy Policy

How we collect, process and safeguard personal data on passion4it.de.

Version: 21 May 2026. This is a courtesy English translation. The binding version is the German original.

Controller

The controller for the processing of personal data on this website under the GDPR is:

PASSION4IT GmbHrepresented by Christian KirschPostackerweg 994234 ViechtachGermany

info@passion4it.de · www.passion4it.de

All further mandatory disclosures (commercial register, management, professional liability insurance) can be found in the legal notice.

Data protection officer

We have appointed an external data protection officer whom you can contact directly:

Stefan Köster eConsultingStefan KösterOp de Elg 13a22393 HamburgGermany

stefan@koester-eConsulting.com · koester-eConsulting.com

What we process and why

We only process personal data where there is a legal basis — typically your consent (Article 6(1)(a) GDPR), contractual initiation (b), a legal obligation (c) or our legitimate interest in operating a secure and functioning website (f). Personal data means any information that can identify you — for example, name, email address, phone number, IP address or the content of an enquiry.

We aim for data minimisation: standard technical data on each page request, plus what you actively share with us via forms, email or a booked meeting. Nothing more.

Hosting and delivery — Cloudflare Pages

This website runs on Cloudflare Pages and is delivered via the Cloudflare CDN. Provider is Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. When a page is requested, Cloudflare processes technical connection data (in particular your IP address, browser/device information, referrer, date and time of request) to deliver the content, balance load, mitigate DDoS attacks and provide TLS encryption.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure, performant delivery). We have concluded a data processing agreement with Cloudflare including the EU standard contractual clauses; Cloudflare is certified under the EU-U.S. Data Privacy Framework. For details see the Cloudflare privacy policy.

Cookies and consent

We use cookies and comparable technologies only where they are technically necessary or where you have actively consented. On your first visit a consent banner appears with three categories:

  • Necessary — always active. Stores your consent decision and basic functions (such as language selection).
  • Analytics — optional. Helps us understand how the website is used (see "Analytics" below).
  • Marketing — optional. We currently do not enable any services in this category; it is reserved as a placeholder for future retargeting tools and remains inactive without your consent.

The consent banner is built on the open-source library vanilla-cookieconsent v3. It runs entirely in your browser, does not transmit anything to third parties and stores your decision locally in a first-party cookie. You can change or fully revoke your consent at any time via the "Cookie settings" link in the footer — the lawfulness of processing carried out before revocation remains unaffected.

Legal basis for the storage of optional cookies and comparable technologies: § 25(1) of the German Telecommunications-Digital Services Data Protection Act (TDDDG) in conjunction with Article 6(1)(a) GDPR (consent). For technically necessary cookies we rely on § 25(2)(2) TDDDG.

Server log files

Every page request causes your browser to automatically transmit technical data to our hoster Cloudflare. The following data is collected in particular:

  • IP address (truncated as soon as no longer needed for delivery)
  • Date and time of the request
  • Requested URL and HTTP status
  • Browser type, browser version and operating system
  • Referrer URL (the page you came from)

This data is technically required to deliver the website, detect security attacks (e.g. DDoS) and fix errors. Legal basis: Article 6(1)(f) GDPR. We do not merge server logs with other data sources and do not create personal profiles from them.

Fonts — self-hosted

We use the "TT Supermolot Neue" typeface family (TypeType Foundry). The fonts are served directly from our servers (via the Cloudflare CDN) — no connection to third parties such as Google Fonts or Adobe Fonts takes place.

Embedded video and audio

YouTube in extended privacy mode

Some pages (e.g. Speaker, Mission, AI Consulting) embed YouTube videos. We use the extended privacy mode of YouTube via the youtube-nocookie.com domain. In addition, we apply a "click-to-load" facade pattern: as long as you do not actively start a video, no connection to YouTube or Google servers is established — what you see is only a locally stored thumbnail.

Once you click "Play", the YouTube embed loads. At that point, data is transmitted to YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, USA) — typically IP address, browser/device information and the requested video ID. If you are signed in to your YouTube/Google account, YouTube can associate the access with your account. Legal basis is your consent through the active click on "Play" (Article 6(1)(a) GDPR) or our legitimate interest in presenting our content (Article 6(1)(f) GDPR). Transfers to the USA are based on the EU-U.S. Data Privacy Framework and the standard contractual clauses. For more see the Google privacy policy.

Spotify episodes

On the Speaker page we link podcast episodes featuring Christian Kirsch via a Spotify embed. Here too we use the click-to-load facade pattern: only after you actively click "Play" does the embed from open.spotify.com load and data is transferred to Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. Before that, no Spotify connection takes place. Legal basis: Article 6(1)(a) GDPR (consent via active interaction). For details see the Spotify privacy policy.

Analytics — PostHog (EU)

With your consent we use PostHog on the EU instance to understand how our pages are used (reach and funnel analysis, click paths, device/browser distribution). Provider is PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA; your data is processed via the EU instance eu.posthog.com — i.e. within the EU.

PostHog sets first-party cookies to recognise returning sessions and records, among other things, IP address (anonymised), page views, click events, browser/device information, screen size and referrer. We do not use session recording, do not use personalised heatmapping and do not track across devices.

Legal basis: Article 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You can revoke consent at any time via the cookie settings — we will then disable PostHog for your browser. We have concluded a data processing agreement with PostHog including the EU standard contractual clauses. For more see the PostHog privacy policy.

Google Tag Manager

With your consent (category "Analytics" or "Marketing") we load Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Tag Manager itself is a container that only manages other tags (see the sections on Google Analytics 4, Google Ads and the LinkedIn Insight Tag). When the container loads, technical connection data — in particular your IP address — is transmitted to Google because the container is delivered from Google servers (googletagmanager.com).

We use Google Consent Mode v2: your consent decision (analytics/marketing) is propagated to every tag managed by the container, so tags whose category you did not consent to do not fire at all. As long as you accept neither analytics nor marketing cookies, Tag Manager is not loaded.

Legal basis: Article 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. Data transfers to the US rely on the EU standard contractual clauses; Google is certified under the EU-U.S. Data Privacy Framework. For more see the Google privacy policy.

Google Analytics 4

With your consent (category "Analytics") we use Google Analytics 4 via Google Tag Manager (measurement ID G-034D5S2DLX, provider Google Ireland Limited). Google Analytics uses first-party cookies (e.g. _ga, _ga_*) and records, among other things, anonymised IP address, page views, time on page, device and browser information, and interaction events (e.g. form submissions, clicks on phone numbers/email addresses).

We enable IP anonymisation and Google Consent Mode v2; advertising features (Google Signals, demographics) are disabled. Data is processed on Google servers in the US, with the EU standard contractual clauses and the Data Privacy Framework as transfer basis.

Legal basis: Article 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You can revoke consent at any time via the cookie settings. For more see the Google privacy policy and the Google Ads Services Terms.

Google Ads (conversion tracking & remarketing)

With your consent (category "Marketing") we use Google Ads via Google Tag Manager (conversion ID AW-18141052135, provider Google Ireland Limited). Google Ads lets us measure whether a click on one of our ads led to a conversion (e.g. meeting booking, form submission, whitepaper download) and optimise our ads accordingly.

When you click on a Google ad a conversion cookie is stored on your device (typically with a 30-day lifetime). When you visit certain pages on our website, the conversion linker checks whether the cookie is present and transmits an anonymised conversion signal to Google. Individual users are not identified in this process.

Legal basis: Article 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. Data transfers to the US rely on the EU standard contractual clauses; Google is certified under the EU-U.S. Data Privacy Framework. You can revoke consent at any time via the cookie settings, or disable ad personalisation directly with Google: adssettings.google.com.

HubSpot — CRM, forms and meeting booking

We use HubSpot to organise enquiries, initial conversations and our customer relationships. Provider is HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA, represented by HubSpot Ireland Ltd., One Dockland Central, Guild Street, Dublin 1, Ireland.

HubSpot is used in three ways:

  • Forms (Contact, Digital Check, AI Readiness): when you submit a form, your browser transmits the entered fields directly to the HubSpot Forms API, which writes the record into our CRM. Legal basis: Article 6(1)(b) GDPR (pre-contractual measures) or (a) (consent) for pure lead-capture forms.
  • Meeting booking (HubSpot Meetings): embedded on the contact, speaker and service pages. Data you provide in the booking dialog (name, email, preferred time) is transferred to HubSpot. Legal basis: Article 6(1)(b) GDPR.
  • CRM tracking pixel (HubSpot Analytics): with your consent (category "Analytics") an additional HubSpot tracking script loads, which links page views and form interactions with your CRM record once you have been identified (e.g. by clicking a personalised link in an email or submitting a form). Legal basis: Article 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

HubSpot transfers data to group companies in the USA. We have concluded a data processing agreement with HubSpot; transfers are based on the EU standard contractual clauses, and HubSpot is certified under the EU-U.S. Data Privacy Framework. For details see the HubSpot privacy policy.

Enquiries by email, phone or meeting

If you contact us by email, phone or via a booked initial meeting, we process your contact details and the content of your enquiry in order to respond. Legal basis is Article 6(1)(b) GDPR, where your enquiry aims at a contract; otherwise Article 6(1)(f) GDPR (legitimate interest in efficient handling). We store this data until the purpose has been fulfilled or statutory retention periods (e.g. § 257 HGB, § 147 AO) require longer storage.

Microsoft 365 and Microsoft Teams

For internal office communication, video calls and workshop sessions we use Microsoft 365 and Microsoft Teams. Provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When we conduct an online meeting with you, Microsoft typically processes: display name, email address, meeting metadata (date, time, meeting ID), and during the meeting audio/video/chat content. We do not record meetings unless we have expressly agreed this with you in advance. Legal basis: Article 6(1)(b) GDPR (contract initiation/performance) or Article 6(1)(f) GDPR (efficient conduct of meetings). We have concluded a data processing agreement with Microsoft.

Applicant data

If you apply to us (via the linked Personio portal, by email or by post), we process the application data submitted in order to decide on employment. Legal basis is § 26(1) BDSG (initiation of an employment relationship) or Article 6(1)(b) GDPR. Applications that do not lead to a contract are deleted no later than 6 months after the procedure has ended, unless you have expressly consented to longer retention for future positions. The applicant platform Personio (Personio SE & Co. KG, Buttermelcherstraße 16, 80469 Munich, Germany) processes the data on our behalf — for details see the Personio privacy policy.

Social media profiles

We maintain publicly accessible profiles on LinkedIn, YouTube and Instagram. On the respective platforms, data processing is jointly controlled with the platform operator (Article 26 GDPR). We do not have full influence on this and cannot guarantee that your data will only be processed in line with this privacy policy.

The passion4it.de website itself does not embed any social plugins (e.g. "Like" buttons, like boxes, in-feed widgets) — we link to our profiles statically only. Data is transmitted to the platform operators only when you actively click a profile link.

Platform privacy policies: LinkedIn · YouTube (Google) · Instagram (Meta).

Transfers to third countries

Several of the services listed above (Cloudflare, PostHog, HubSpot, Google Tag Manager/Analytics/Ads, Microsoft, YouTube/Google, Spotify, LinkedIn, Meta/Instagram) transfer data to group companies outside the EU/EEA — in particular to the USA. We base these transfers on:

  • the EU standard contractual clauses under Article 46(2)(c) GDPR (incorporated into the respective data processing agreements),
  • the EU-U.S. Data Privacy Framework, where the respective provider is certified (Article 45 GDPR),
  • if applicable, your express consent under Article 49(1)(a) GDPR for services that are loaded exclusively on a consent basis.

We point out that a level of data protection comparable to that of the EU cannot be guaranteed in third countries. Access by state authorities (e.g. US security agencies) to personal data cannot be fully excluded.

Storage periods

We store personal data only for as long as necessary for the respective purpose. Contact enquiries are deleted after the case is closed; contractual data is retained in accordance with commercial and tax retention obligations (6 to 10 years under § 257 HGB and § 147 AO). Analytics data in PostHog is stored for a maximum of 12 months, after which it is deleted or aggregated automatically. CRM data in HubSpot is retained as long as there is a legitimate interest in the customer relationship, but at the latest until you object.

Your rights

You have the right at any time to:

  • Access the personal data stored about you (Article 15 GDPR),
  • Rectification of inaccurate data (Article 16 GDPR),
  • Erasure, where no retention obligation applies (Article 17 GDPR),
  • Restriction of processing (Article 18 GDPR),
  • Data portability in a machine-readable format (Article 20 GDPR),
  • Object to processing based on Article 6(1)(f) GDPR and to direct marketing (Article 21 GDPR),
  • Withdraw consent already given, with effect for the future (Article 7(3) GDPR).

Send an informal message to info@passion4it.de or contact our data protection officer directly. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority (for PASSION4IT GmbH: Bayerisches Landesamt für Datenschutzaufsicht, BayLDA, Promenade 18, 91522 Ansbach, Germany).

SSL / TLS encryption

The entire website is delivered exclusively over HTTPS (TLS). Your browser indicates this with the padlock symbol and the https:// prefix in the address bar. Transmissions from your browser to our server are therefore encrypted and cannot be read by third parties.

Advertising emails

The use of contact data published in the legal notice for the purpose of sending unsolicited advertising and information materials is hereby objected to. We reserve the right to take legal action in the event of unsolicited advertising — for example by spam email.

Changes to this privacy policy

We update this privacy policy when we introduce new services, when legal requirements change or when existing processing operations cease. The version applicable at any time is the version published on this page. Material changes are marked with an updated "Version" date at the top.